[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secure Vcs-Git on alioth

On 07/17/2016 02:15 PM, Yuri D'Elia wrote:
> Regarding Lintian's informational warning about insecure git:// URIs in
> the Vcs-Git field:
> 
> https://lintian.debian.org/tags/vcs-field-uses-insecure-uri.html
> 
> I can switch easily from:
> 
>   git://anonscm.debian.org/collab-maint/trend.git
> 
> to
> 
>   https://anonscm.debian.org/git/collab-maint/trend.git
> 
> however shallow cloning (which I use regularly), breaks.
> 
> I found an old mention exactly about this issue that boiled down to use
> your alioth account to use git+ssh. However, this is _not_ what I would
> suggest to a random user expecting to be able to clone from the provided
> URL.
> 
> So, how serious is this "suggestion"?

I have the following in my ~/.gitconfig:

[url "git+ssh://git.debian.org/git/"]
        insteadOf = git://anonscm.debian.org/
        insteadOf = git://git.debian.org/
        insteadOf = https://anonscm.debian.org/git/
        insteadOf = https://anonscm.debian.org/cgit/
        insteadOf = http://anonscm.debian.org/git/
        insteadOf = http://anonscm.debian.org/cgit/

That way, I always use SSH for alioth (and can then push
without trouble, even if I first checked out a repository
via debcheckout or similar), but the repositories can
use the HTTPS URI instead for people without an alioth
account.

Regards,
Christian
Reply to: