version deps
need at least http-client-0.4.31 to build now, and connection-0.2.6
This commit is contained in:
Joey Hess
parent
c5166b56af
commit
991265e724
4 changed files with 60 additions and 2 deletions
17
doc/devblog/day_503__security_hole_part_5.mdwn
Normal file
17
doc/devblog/day_503__security_hole_part_5.mdwn
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
Started testing that the security fix will build everywhere on
|
||||
release day. This is being particularly painful for the android build,
|
||||
which has very old libraries and needed http-client updated, with many
|
||||
follow-on changes, and is not successfully building yet after 5 hours.
|
||||
I really need to finish deprecating the android build.
|
||||
|
||||
Pretty exhausted from all this, and thinking what to do about
|
||||
external special remotes, I elaborated on an idea that Daniel Dent had
|
||||
raised in discussions about vulnerability, and realized that git-annex
|
||||
has a second, worse vulnerability. This new one could be used to trick a
|
||||
git-annex user into decrypting gpg encrypted data that they had
|
||||
never stored in git-annex. The attacker needs to have control of both an
|
||||
encrypted special remote and a git remote, so it's not an easy exploit to
|
||||
pull off, but it's still super bad.
|
||||
|
||||
This week is going to be a lot longer than I thought, and it's already
|
||||
feeling kind of endless..
|
||||
Loading…
Add table
Add a link
Reference in a new issue