Re: git and https
On Thu, May 28, 2015 at 10:30:58AM +0200, Tollef Fog Heen wrote:
> ]] Wouter Verhelst
>
> > - Most importantly, you need to configure your webserver and SSL library
> > so it disables outdated protocol versions, enables newer secure
> > protocol versions (doing so in a way that older proprietary clients
> > who don't speak those newer versions yet and make up the majority of
> > your target audience aren't excluded), and a whole bunch of other
> > things.
>
> We should make sure the defaults shipped here are up to date with latest
> security practices, IMO. And yes, I think we should update those in
> security updates too.
>
> [...]
>
> > In contrast, gpg just requires you to generate a key, and configure git
> > to use it. That's it. Yes, preferably you'd get that key signed by
> > someone else so you're part of the web of trust, but that isn't a
> > prerequisite (that is, you can start signing today, and worry about
> > getting your key added to the WoT later). Explaining how to do that can
> > be done in a fairly short web page.
>
> You mean, apart from telling it to use sha256 for sigs, etc?
And telling it to use a large enough key using the correct encryption
algorythm. That's something more easily documented than doing the SSL
stuff, though. The advantage of gpg is that people are less likely to
run 10-year-old versions that require a trade-off between "do it safely"
and "make sure everyone who cares can use it".
(less of a problem for git as opposed to random websites, I suppose, but
still)
--
It is easy to love a country that is famous for chocolate and beer
-- Barack Obama, speaking in Brussels, Belgium, 2014-03-26
Reply to: