Re: Secure Vcs-Git on alioth
On 07/17/2016 02:15 PM, Yuri D'Elia wrote:
> Regarding Lintian's informational warning about insecure git:// URIs in
> the Vcs-Git field:
>
> https://lintian.debian.org/tags/vcs-field-uses-insecure-uri.html
>
> I can switch easily from:
>
> git://anonscm.debian.org/collab-maint/trend.git
>
> to
>
> https://anonscm.debian.org/git/collab-maint/trend.git
>
> however shallow cloning (which I use regularly), breaks.
>
> I found an old mention exactly about this issue that boiled down to use
> your alioth account to use git+ssh. However, this is _not_ what I would
> suggest to a random user expecting to be able to clone from the provided
> URL.
>
> So, how serious is this "suggestion"?
I have the following in my ~/.gitconfig:
[url "git+ssh://git.debian.org/git/"]
insteadOf = git://anonscm.debian.org/
insteadOf = git://git.debian.org/
insteadOf = https://anonscm.debian.org/git/
insteadOf = https://anonscm.debian.org/cgit/
insteadOf = http://anonscm.debian.org/git/
insteadOf = http://anonscm.debian.org/cgit/
That way, I always use SSH for alioth (and can then push
without trouble, even if I first checked out a repository
via debcheckout or similar), but the repositories can
use the HTTPS URI instead for people without an alioth
account.
Regards,
Christian
Reply to: