I recently read an article talking about the supply chain vulnerability of accessing Git using the git:// protocol instead of https://. Because the Git protocol is not encrypted, it would be possible for a well-positioned attacker to perform a Man In The Middle (MITM) attack when a client like F-Droid is cloning the repository. This would then cause F-Droid to build Privacy Browser with whatever modifications the MITM attacker inserted into the source code.

The solution to this problem is to use HTTPS, which isn’t as efficient a protocol when it comes to Git repositories, but it is encrypted, which thwarts a MITM attack unless the attacker is also able to acquire a valid SSL certificate for my domain.

Making this change requires modifying the URLs used to clone Privacy Browser’s repository. Previously the command was:

git clone git://git.stoutner.com/git/PrivacyBrowser.git

Now it is:

git clone https://git.stoutner.com/PrivacyBrowser.git

Similarly the new command to clone the repository for the Privacy Browser ROM Integration is:

git clone https://git.stoutner.com/PrivacyBrowserROMIntegration.git

UltraList:

git clone https://git.stoutner.com/UltraList.git

UltraPrivacy:

git clone https://git.stoutner.com/UltraPrivacy.git

Making this change also requires changing the URL used for GitWeb to avoid a collision. Previously, the URL for GitWab used the git.stoutner.com domain.

https://git.stoutner.com/?p=PrivacyBrowser.git;a=summary

Now it has changed to the gitweb.stoutner.com domain.

https://gitweb.stoutner.com/?p=PrivacyBrowser.git;a=summary

This means that old links in redmine.stoutner.com will not work unless updated. If I ever need to look at an old issue I will update the URL. Otherwise, if you want to follow one of the links, you can modify it yourself to switch to the new domain.