4 Jul
2017
4 Jul
'17
3:19 a.m.
On 04/07/17 13:15, Eli Schwartz wrote:
As per https://lists.archlinux.org/pipermail/arch-general/2017-July/043876.html git doesn't check that the tag name matches what an annotated tag object *thinks* it should be called. This is a bit of a theoretical attack and some would argue that we should always use commits since upstream can legitimately change a tag, but nevertheless this can result in a downgrade attack if the git download transport was manipulated.
So, check the tag blob to make sure the tag actually matches the name we used for `git checkout`
Signed-off-by: Eli Schwartz <eschwartz93@gmail.com>
This should be fixed in git.