[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Death to git://! Long live git://!

Hey devel,

We still have `git://` all over the place, for instance, on Vcs-Git on
control files. That makes me sad. Boo insecure transports.

`git://` is plaintext, and plaintext transports are bad.

I'd like to suggest we move all Vcs-Git entries to either `https` or

Signing tags is a good step, yes, but there will always be unsigned
contents at the head of the branch, and users won't always check them
when cloning a package locally. I'm sure some DDs out there will even
debcheckout and upload after checking a `git diff` rather than a
`debdiff`, because git never lies, right?

Not everyone pulls down the package and uses debdiff, and it only takes
one mistake to own systems.

`git://` provides no upside and really shouldn't exist anymore. GitHub
has even turned it off[1]

Are we going to let GitHub do best practices better than Debian? Hello
no! Let's do this.

There's no downside, and `git://` provides no value. Let's kill it from
the archive.

Plus, `git://` is super blocked by port in a bunch of places `https`
isn't. So there's that.


[1]: https://github.com/blog/809-git-dumb-http-transport-to-be-turned-off-in-90-days

Attachment: signature.asc
Description: PGP signature

Reply to: