Dealing with circular BuildRequires?

Todd Zullinger tmz at
Fri Oct 7 19:38:04 UTC 2011

Jesse Keating wrote:
> On Oct 7, 2011, at 8:21 AM, Till Maas wrote:
>> On Fri, Oct 07, 2011 at 07:53:25AM -0700, Jesse Keating wrote:
>>> Might have gone quicker if you pull via git:// and then only push
>>> via ssh:// reducing your ssh handshakes by half.
>> How do you ensure the integrity of the git repo if it is pulled via
>> git://? As far as I can see doing this automatically is an invitation to
>> perform man-in-the-middle attacks.
> Sure that's a risk.  It'd take a fairly sophisticated attach to take
> advantage of it, but yes, it's a risk.  Strikes me as easier to just
> fake your way into the packager group and upload your bad-bits that
> way.  Everything is a balance between risk and performance.

Quite true.

For anyone that wanted a bit of both, you could pull via git and then
verify the hash of the branches before you you used them.  It's quick
to use git ls-remote to get that information over ssh, for one branch,
or just heads, or whatever.

[tmz at panaeolus git (master)]$ git ls-remote ssh:// master
f8faec03bd41627fb60e26004b1727d30fabe94a    refs/heads/master

[tmz at panaeolus git (master)]$ git for-each-ref refs/remotes/origin/master
f8faec03bd41627fb60e26004b1727d30fabe94a commit refs/remotes/origin/master

Or just using cat:

[tmz at panaeolus git (master)]$ cat .git/refs/remotes/origin/master 

Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL:
Religion. A daughter of Hope and Fear, explaining to Ignorance the
nature of the Unknowable.
    -- Ambrose Bierce, The Enlarged Devil's Dictionary, 1906

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
Url : 

More information about the devel mailing list