[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: git and https

Philipp Kern <pkern@debian.org> writes:

> Perfect is the enemy of good. Debian is already paying the protection
> money at this point and TBH I don't understand the resistance to add
> and promote the https:// variant of it. We can still switch to Let's
> Encrypt once it is available.

I don't object to promoting https.  I do think we should be careful about
what claims we make about MITM protection, since I believe https without
certificate pinning does not provide real MITM protection.  It does,
however, raise the bar against casual eavesdropping if you're already
having to pay the CA cartel for other reasons, and that's worthwhile.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: