629938 – media-video/ffmpeg-9999 git-r3: git protocol is completely unsecure and may render the ebuild easily susceptible to MITM attacks (even if used only as fallback). Please use https instead. [URI:git://source.ffmpeg.org/ffmpeg.git]

Bug 629938 - media-video/ffmpeg-9999 git-r3: git protocol is completely unsecure and may render the ebuild easily susceptible to MITM attacks (even if used only as fallback). Please use https instead. [URI:git://source.ffmpeg.org/ffmpeg.git]

Summary: media-video/ffmpeg-9999 git-r3: git protocol is completely unsecure and may r...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Media-video project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-05 07:48 UTC by stressfactor
Modified:	2018-01-15 20:17 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
change url to https (ffmpeg-9999.ebuild.patch,392 bytes, patch) 2017-09-05 07:48 UTC, stressfactor	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description stressfactor 2017-09-05 07:48:37 UTC

Created attachment 492406 [details, diff]
change url to https

The ffmpeg 9999 ebuild complains about using the git-rg3 protocol and suggests we use https instead. Just changing the URL to the https one on the ffmpeg website fixed it for me.

Warning message in ebuild:

"git protocol is completely unsecure and may render the ebuild easily susceptible to MITM attacks (even if used only as fallback). Please use https instead. [URI:git://source.ffmpeg.org/ffmpeg.git]"

First bug report. Excuse me if I didn't follow proper procedure.

Comment 1 A Blamey 2018-01-15 13:15:31 UTC

source.ffmpeg.org redirects to git.videolan.org, where the git address is displayed as:
https://git.videolan.org/git/ffmpeg.git

Setting the EGIT_REPO_URI line to this address in ffmpeg-9999.ebuild builds successfully and eliminates the warning.

Comment 2 Andriy Utkin (RETIRED) gentoo-dev

2018-01-15 19:27:43 UTC

A Blamey, do you mean you think the URI used in the attached patch is not good in any way?

Prepared a commit, waiting for ack from aballier or other media-video folks before I push it.

Comment 3 A Blamey 2018-01-15 19:39:56 UTC

I was just noting that the old url in the ebuild (source.ffmpeg.org) is a 302-redirect to
https://git.videolan.org/?p=ffmpeg.git
On that page the git url is displayed as
https://git.videolan.org/git/ffmpeg.git

Now I checked the official dev docs at https://www.ffmpeg.org/download.html#get-sources, and it lists :
https://git.ffmpeg.org/ffmpeg.git
... so the patch looks more official.

Comment 4 Larry the Git Cow gentoo-dev

2018-01-15 20:17:10 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ceea89e0ccdec38fa1876b96c8505284dba6059b

commit ceea89e0ccdec38fa1876b96c8505284dba6059b
Author:     Andrey Utkin <andrey_utkin@gentoo.org>
AuthorDate: 2018-01-15 19:25:00 +0000
Commit:     Andrey Utkin <andrey_utkin@gentoo.org>
CommitDate: 2018-01-15 20:16:44 +0000

    media-video/ffmpeg: use HTTPS for EGIT_REPO_URI
    
    Suggested-by: stressfactor <redditcensorshipsucks@protonmail.com>
    Acked-by: Alexis Ballier <aballier@gentoo.org>
    Closes: https://bugs.gentoo.org/629938
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 media-video/ffmpeg/ffmpeg-9999.ebuild | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)