[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: git and https

]] Wouter Verhelst 

> - Most importantly, you need to configure your webserver and SSL library
>   so it disables outdated protocol versions, enables newer secure
>   protocol versions (doing so in a way that older proprietary clients
>   who don't speak those newer versions yet and make up the majority of
>   your target audience aren't excluded), and a whole bunch of other
>   things.

We should make sure the defaults shipped here are up to date with latest
security practices, IMO.  And yes, I think we should update those in
security updates too.

[...]

> In contrast, gpg just requires you to generate a key, and configure git
> to use it. That's it. Yes, preferably you'd get that key signed by
> someone else so you're part of the web of trust, but that isn't a
> prerequisite (that is, you can start signing today, and worry about
> getting your key added to the WoT later). Explaining how to do that can
> be done in a fairly short web page.

You mean, apart from telling it to use sha256 for sigs, etc?  IIRC, the
defaults for GPG aren't very appropriate either.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: