git clone git://kernel.ubuntu.com/ is Not Secure

[eviljoel]

In Ubuntu kernel with grsecurity, the instructions dictate that one should clone the Ubuntu source from kernel.ubuntu.com:

git clone git://kernel.ubuntu.com/ubuntu/ubuntu-precise.git

However, according to the git manual page, cloning a repository using the 'git' protocol is not secure:

The native transport (i.e. git:// URL) does no authentication and should be used
with caution on unsecured networks.

The the content of the download is also never verified in the Verify the digital signatures section.

According to the Ubuntu documention, there are a couple ways to obtain the Ubuntu source code. Option B seems like the most secure method for obtaining the source:

sudo apt-get source linux-image-uname -r

Alternatively, at the cost of some security, you can continue to use Option A and verify the signature on each tag. The problem with this is that each tag is signed by a different person at Canonical and it is not practical for Secure Drop users to obtain the public key of each Canonical kernel developer. This method also relies on the SHA1 signatures used by git which have known weaknesses (although the attacks are not very practical).

I recommend changing the instructions for obtaining the Ubuntu source to either use apt-get or provide instructions on verifying git tags. Thank you.

[eviljoel]

@runasand James said you would probably look into this issue.

[runasand]

I created https://github.com/runasand/ubuntu-grsec/issues/5 and will look into it. Thanks, @eviljoel!