Re: git and https

To: Josh Triplett <josh@joshtriplett.org>
Cc: debian-devel@lists.debian.org
Subject: Re: git and https
From: Wouter Verhelst <wouter@debian.org>
Date: Wed, 27 May 2015 10:08:35 +0200
Message-id: <[🔎] 20150527080835.GA20359@grep.be>
In-reply-to: <[🔎] 20150525183805.GA2452@x>
References: <[🔎] 55631103.3020200@zoho.com> <[🔎] 20150525183805.GA2452@x>

On Mon, May 25, 2015 at 11:38:06AM -0700, Josh Triplett wrote:
> > While we're on the subject of git security...should we stop
> > recommending that non-account-holders use git:// (most efficient, but
> > insecure against MITM unless you manually check the commit number) in
> > preference to https:// (at least some security)?
> > https://wiki.debian.org/Alioth/Git#Accessing_repositories
> 
> https:// is actually just as efficient as git:// these days (other than the
> minor overhead of TLS, which is worth it for security).

Why? Which attack do you envision (other than the ridiculous "the NSA would see
that we're pushing!", which they can by just doing a git clone too) that would
be thwarted by https but not by signed commits?

-- 
It is easy to love a country that is famous for chocolate and beer

  -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26

Reply to:

Follow-Ups:
- Re: git and https
  - From: Chow Loong Jin <hyperair@debian.org>
- Re: git and https
  - From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>
- Re: git and https
  - From: Josh Triplett <josh@joshtriplett.org>
- Re: git and https
  - From: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>

References:
- git and https
  - From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>
- Re: git and https
  - From: Josh Triplett <josh@joshtriplett.org>

Prev by Date: Re: Bits from the Stable Release Managers
Next by Date: Re: git and https
Previous by thread: Re: git and https
Next by thread: Re: git and https
Index(es):
- Date
- Thread