[pacman-dev] [PATCH] libmakepkg/integrity: check for invalid tags
Allan McRae
allan at archlinux.org
Tue Jul 4 03:19:42 UTC 2017
On 04/07/17 13:15, Eli Schwartz wrote:
> As per https://lists.archlinux.org/pipermail/arch-general/2017-July/043876.html
> git doesn't check that the tag name matches what an annotated tag object
> *thinks* it should be called. This is a bit of a theoretical attack and
> some would argue that we should always use commits since upstream can
> legitimately change a tag, but nevertheless this can result in a
> downgrade attack if the git download transport was manipulated.
>
> So, check the tag blob to make sure the tag actually matches the name we
> used for `git checkout`
>
> Signed-off-by: Eli Schwartz <eschwartz93 at gmail.com>
This should be fixed in git.
More information about the pacman-dev
mailing list