Re: git and https

To: debian-devel <debian-devel@lists.debian.org>
Subject: Re: git and https
From: Clint Byrum <spamaps@debian.org>
Date: Thu, 28 May 2015 15:42:45 -0700
Message-id: <[🔎] 1432852719-sup-2275@fewbar.com>
In-reply-to: <[🔎] 87pp5l5l8p.fsf@hope.eyrie.org>
References: <[🔎] 55631103.3020200@zoho.com> <[🔎] 20150525183805.GA2452@x> <[🔎] 20150527080835.GA20359@grep.be> <[🔎] 20150527160230.GA1068@jtriplet-mobl1> <[🔎] 87pp5l5l8p.fsf@hope.eyrie.org>

Excerpts from Russ Allbery's message of 2015-05-27 22:23:02 -0700:
> Josh Triplett <josh@joshtriplett.org> writes:
> 
> > https:// avoids MITM;
> 
> If you aren't doing certificate pinning, I don't think you can really say
> this with a straight face.
> 

The word is "avoids", it is not "eliminates". What ever happened to
defense in depth? There's no such thing as a perfect solution, but we
can at least lock the doors, right?

> It makes MITM moderately harder, at the cost of giving money to a bunch of
> exploitative clowns who have no concept of what security means.
> 

In the specific case where we'd recommend using https:// instead of git://
_for Debian's git services_, the cost noted above would not apply for
any Debian users because in theory we can use the Debian-specific CA.

Reply to:

Follow-Ups:
- Re: git and https
  - From: Russ Allbery <rra@debian.org>

References:
- git and https
  - From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>
- Re: git and https
  - From: Josh Triplett <josh@joshtriplett.org>
- Re: git and https
  - From: Wouter Verhelst <wouter@debian.org>
- Re: git and https
  - From: Josh Triplett <josh@joshtriplett.org>
- Re: git and https
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Stepping back from the Debian XML/SGML team, effectively orphaning all my packages (docbook*, xml-core, xmlto, etc. pp)
Next by Date: Re: git and https
Previous by thread: Re: git and https
Next by thread: Re: git and https
Index(es):
- Date
- Thread