From acd03d5dfabf3c74c8daf78cc219fe96186738e7 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Thu, 18 Jan 2024 11:43:22 +0000
Subject: [PATCH] checkupdates: workaround Terrapin vuln

---
 .gitlab-ci.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b135357c22..afce870e5b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -300,6 +300,11 @@ checkupdates_runner:
     - apt-get install -y openssh-client
     - git config --global user.email "fdroidci@bubu1.eu"
     - git config --global user.name "F-Droid checkupdates bot"
+
+    # gitlab.com was still vulnerable to https://terrapin-attack.com/ when this was added
+    - printf 'Ciphers -chacha20-poly1305@openssh.com,*-cbc\nMACs -*etm*,*-sha1*\n'
+        > /etc/ssh/ssh_config.d/0-terrapin-workaround.conf
+
     - mkdir -p ~/.ssh
     - chmod 700 ~/.ssh
     - cp "${GITLAB_KNOWN_HOSTS}" ~/.ssh/known_hosts