[gnutls-devel] Fwd: Devel page points to insecure cloning of GnuTLS

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Mar 10 01:04:11 CET 2014 

On 03/09/2014 06:46 AM, Synamics wrote:

> The page http://www.gnutls.org/devel.html points to
> "git://gitorious.org/gnutls/gnutls.git", which uses git protocol,
> without authentication of the downloaded packages.

> Why not subtitute it with https://gitorious.org/gnutls/gnutls.git ?


the https transport only provides transport-layer authentication also,
which just proves that you're connecting to the gitorious server -- not
that the files in question are the correct files for the GnuTLS project.

To verify the provenance of the data, you need to check the OpenPGP
signatures in the git tag that you are interested in (there are tags
that correspond to each released version).  The tag should be signed by
Nikos Mavrogiannopolous.

for example:

 git tag -v gnutls_3_2_12_1

I believe Nikos' key has the following fingerprint (but have not
verified it in person with him):

  1F42 4189 05D8 206A A754  CCDC 29EE 58B9 9686 5171

gitorious' git https:// transport appears to be the "dumb" version,
which means that fetching a large repository with a complex history
(like that of the gnutls project) is expensive and slow.  the git://
transport is significantly faster and more efficient.

if you can spare the bandwidth and the CPU and RAM, you can try
comparing these two commands:

 time git clone https://gitorious.org/gnutls/gnutls.git

 time git clone git://gitorious.org/gnutls/gnutls.git

If gitorious used the git-http-backend (i don't know how well that would
integrate with their nginx+varnish setup), so that git could use the
smart http transport, i'd be more inclined to agree with the proposed
change (because transport security and privacy is better than cleartext
in general, even if the real cryptographic checks you want on the source
code need to come from the OpenPGP signatures in the repo itself), but
for efficiency purposes, i think the current choice of git:// is a
better one.

	--dkg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140309/e2a6a17c/attachment.sig>

More information about the Gnutls-devel mailing list