1 |
Hi! |
2 |
|
3 |
|
4 |
For the current Gentoo Git setup I found these methods working for |
5 |
accessing a repository, betagarden in this case: |
6 |
|
7 |
git://anongit.gentoo.org/proj/betagarden.git |
8 |
(git://git.gentoo.org/proj/betagarden.git) |
9 |
(git://git.overlays.gentoo.org/proj/betagarden.git) |
10 |
|
11 |
http://anongit.gentoo.org/git/proj/betagarden.git |
12 |
|
13 |
(http://cgit.gentooexperimental.org/proj/betagarden.git) |
14 |
|
15 |
git+ssh://git@××××××××××.org/proj/betagarden.git |
16 |
(git+ssh://git@×××××××××××××××××××.org/proj/betagarden.git) |
17 |
|
18 |
Those without braces are the ones announced at the repository's page [1]. |
19 |
|
20 |
My concerns about the current set of supported ways of transfer are: |
21 |
|
22 |
* There does not seem to be support for https://. Please add it. |
23 |
|
24 |
* Why do we serve Git over git:// and http:// if those are vulnerable |
25 |
to man-in-the-middle attacks (before having waterproof GPG |
26 |
protection for whole repositories in place)? |
27 |
Especially with ebuilds run by root, we cannot afford MITM. |
28 |
|
29 |
|
30 |
So I would like to propose that |
31 |
|
32 |
* support for Git access through https:// is activated, |
33 |
|
34 |
* Git access through http:// and git:// is deactivated, and |
35 |
|
36 |
* the URLs on gitweb.gentoo.org and the Layman registry are |
37 |
updated accordingly. (Happy to help with the latter.) |
38 |
|
39 |
|
40 |
Thanks for your consideration. |
41 |
|
42 |
Best, |
43 |
|
44 |
|
45 |
|
46 |
Sebastian |
47 |
|
48 |
|
49 |
[1] https://gitweb.gentoo.org/proj/betagarden.git/ |