| Summary: | media-video/ffmpeg-9999 git-r3: git protocol is completely unsecure and may render the ebuild easily susceptible to MITM attacks (even if used only as fallback). Please use https instead. [URI:git://source.ffmpeg.org/ffmpeg.git] | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | stressfactor <redditcensorshipsucks> |
| Component: | Current packages | Assignee: | Gentoo Media-video project <media-video> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | candrews, jstein, tsmksubc |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | change url to https | ||
source.ffmpeg.org redirects to git.videolan.org, where the git address is displayed as: https://git.videolan.org/git/ffmpeg.git Setting the EGIT_REPO_URI line to this address in ffmpeg-9999.ebuild builds successfully and eliminates the warning. A Blamey, do you mean you think the URI used in the attached patch is not good in any way? Prepared a commit, waiting for ack from aballier or other media-video folks before I push it. I was just noting that the old url in the ebuild (source.ffmpeg.org) is a 302-redirect to https://git.videolan.org/?p=ffmpeg.git On that page the git url is displayed as https://git.videolan.org/git/ffmpeg.git Now I checked the official dev docs at https://www.ffmpeg.org/download.html#get-sources, and it lists : https://git.ffmpeg.org/ffmpeg.git ... so the patch looks more official. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ceea89e0ccdec38fa1876b96c8505284dba6059b commit ceea89e0ccdec38fa1876b96c8505284dba6059b Author: Andrey Utkin <andrey_utkin@gentoo.org> AuthorDate: 2018-01-15 19:25:00 +0000 Commit: Andrey Utkin <andrey_utkin@gentoo.org> CommitDate: 2018-01-15 20:16:44 +0000 media-video/ffmpeg: use HTTPS for EGIT_REPO_URI Suggested-by: stressfactor <redditcensorshipsucks@protonmail.com> Acked-by: Alexis Ballier <aballier@gentoo.org> Closes: https://bugs.gentoo.org/629938 Package-Manager: Portage-2.3.19, Repoman-2.3.6 media-video/ffmpeg/ffmpeg-9999.ebuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) |
Created attachment 492406 [details, diff] change url to https The ffmpeg 9999 ebuild complains about using the git-rg3 protocol and suggests we use https instead. Just changing the URL to the https one on the ffmpeg website fixed it for me. Warning message in ebuild: "git protocol is completely unsecure and may render the ebuild easily susceptible to MITM attacks (even if used only as fallback). Please use https instead. [URI:git://source.ffmpeg.org/ffmpeg.git]" First bug report. Excuse me if I didn't follow proper procedure.