Re: Death to git://! Long live git://!
On Fri, Jan 08, 2016 at 10:43:40AM -0500, Paul Tagliamonte wrote:
> Hey devel,
>
> We still have `git://` all over the place, for instance, on Vcs-Git on
> control files. That makes me sad. Boo insecure transports.
>
> `git://` is plaintext, and plaintext transports are bad.
>
> I'd like to suggest we move all Vcs-Git entries to either `https` or
> `ssh`.
>
> Signing tags is a good step, yes, but there will always be unsigned
> contents at the head of the branch, and users won't always check them
> when cloning a package locally. I'm sure some DDs out there will even
> debcheckout and upload after checking a `git diff` rather than a
> `debdiff`, because git never lies, right?
>
> Not everyone pulls down the package and uses debdiff, and it only takes
> one mistake to own systems.
Switching to https does prevents some attacks and generally seems like a
good idea, but does not, of course, eliminate the possibility of rogue
code being committed to the source repository. Maintainers will still
need to judge whether the repository they are pulling from (both the
infrastructure and the push access) is sufficiently trustworthy to not
use without checking against packages (or previous versions of their
trusted local repo).
Cheers,
Dominic.
Reply to: