Hi there,

when downloading musl via git (which is the default), the sources get downloaded over a plain git connection without any encryption or verification.

Please switch to downloading tarballs only (where the hashes do get checked) and disable the insecure git retrieval until a HTTPS git mirror can be used.

Maybe someone can talk to the musl developers and ask for a HTTPS git mirror.

Thank you.

While in light of sha1 being broken it's not strong against an adversary with heavy resources, use of a specific git revision (MUSL_VER = git-$sha1) is verified by "git fsck" which the top-level Makefile performs. It's only if you use (and thereby trust) a branch name or tag that it's unverified. Maybe this should be documented better.

You are right, I did not notice the git fsck call and the implicit checkout of a specific branch - thank you for explaining.