On Wed, May 27, 2015 at 10:08:35AM +0200, Wouter Verhelst wrote: > On Mon, May 25, 2015 at 11:38:06AM -0700, Josh Triplett wrote: > > > While we're on the subject of git security...should we stop > > > recommending that non-account-holders use git:// (most efficient, but > > > insecure against MITM unless you manually check the commit number) in > > > preference to https:// (at least some security)? > > > https://wiki.debian.org/Alioth/Git#Accessing_repositories > > > > https:// is actually just as efficient as git:// these days (other than the > > minor overhead of TLS, which is worth it for security). > > Why? Which attack do you envision (other than the ridiculous "the NSA would see > that we're pushing!", which they can by just doing a git clone too) that would > be thwarted by https but not by signed commits? How about "the NSA would see that I'm cloning the repository of a bunch of cracking tools?" Not sure how legal that is in the US, but I'm pretty certain it's illegal in some region somewhere. -- Kind regards, Loong Jin
Attachment:
signature.asc
Description: Digital signature