Re: Replacing Vcs-Git URIs to use https instead of git protocol

To: Salvatore Bonaccorso <carnil@debian.org>, debian-perl@lists.debian.org
Subject: Re: Replacing Vcs-Git URIs to use https instead of git protocol
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 31 Jan 2016 12:26:43 -0500
Message-id: <[🔎] 87zivl64oc.fsf@alice.fifthhorseman.net>
In-reply-to: <[🔎] 20160130130357.GA4381@eldamar.local>
References: <[🔎] 20160130130357.GA4381@eldamar.local>

On Sat 2016-01-30 08:03:57 -0500, Salvatore Bonaccorso wrote:

> Any objection to a mass commit to replace all Vcs-Git URI's which use
> git as transport to use https?

No objection.  Rather, thank you for doing this.  While i'm not a big
fan of relying entirely on https for message security, my understanding
is that git by default doesn't even verify the digests of the objects it
fetches (see https://bugs.debian.org/813157 for an attempt to change
this).

This means that anyone fetching git objects over a cleartext link is
subject to tampering by a network attacker that could silently affect
their local working copy while still reporting the same commit ID as
their peers.  So secured transport is a step up, at least -- default
users of git are only vulnerable to git servers if they use secure
transport, and not to the network itself.

           --dkg

Reply to:

References:
- Replacing Vcs-Git URIs to use https instead of git protocol
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: Replacing Vcs-Git URIs to use https instead of git protocol
Previous by thread: Re: Replacing Vcs-Git URIs to use https instead of git protocol
Index(es):
- Date
- Thread