[cfarm-users] Unable to git pull on gcc112

Vincent Lefevre vincent at vinc17.net
Thu Mar 31 10:52:46 CEST 2022

On 2022-03-30 18:52:23 -0500, Jacob Bachmeyer via cfarm-users wrote:
> Vincent Lefevre via cfarm-users wrote:
> > On 2022-03-29 22:01:26 -0500, Jacob Bachmeyer via cfarm-users wrote:
> > > Jeffrey Walton via cfarm-users wrote:
> > > > When I try git://github.com/weidai11/cryptopp/:
> > > > 
> > > > $ git pull
> > > > fatal: remote error:
> > > >  The unauthenticated git protocol on port 9418 is no longer supported.
> > > While this does not help you, the root of this latter problem seems to be
> > > that GitHub has decided to deliberately break compatibility with one of
> > > Git's standard features using "security" as an excuse.  This is, of course,
> > > ridiculous for public repositories, since public repositories are, well,
> > > public.
> > 
> > Even though they are public, you still need to have a way to
> > authenticate the host to ensure that you will not connect to
> > a fake server (in particular with "git clone").

Actually an attack is also possible for "git pull".

> Easily solved by checking the HEAD commit against a known-good ID; either
> the origin tracking branch in your local copy, or as I have done in the past
> with GitHub, by looking at the (HTTPS) Web page.  If those IDs match, you
> have the correct data, with overwhelming probability.  If they do not match,
> find the differences and you have just caught an attacker in the act.

AFAIK, this also needs to be done for every branch that will
potentially be used.

Most users will not do such checks, so it's quite understandable
that GitHub disabled an insecure protocol. Nowadays, I don't see
the point of not using a secure protocol.

Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

More information about the cfarm-users mailing list