1 |
On Sun, 29 Mar 2015 18:41:33 +0200 |
2 |
Sebastian Pipping <sping@g.o> wrote: |
3 |
|
4 |
> Hi! |
5 |
> |
6 |
> |
7 |
> For the current Gentoo Git setup I found these methods working for |
8 |
> accessing a repository, betagarden in this case: |
9 |
> |
10 |
> git://anongit.gentoo.org/proj/betagarden.git |
11 |
> (git://git.gentoo.org/proj/betagarden.git) |
12 |
> (git://git.overlays.gentoo.org/proj/betagarden.git) |
13 |
> |
14 |
> http://anongit.gentoo.org/git/proj/betagarden.git |
15 |
> |
16 |
> (http://cgit.gentooexperimental.org/proj/betagarden.git) |
17 |
> |
18 |
> git+ssh://git@××××××××××.org/proj/betagarden.git |
19 |
> (git+ssh://git@×××××××××××××××××××.org/proj/betagarden.git) |
20 |
> |
21 |
> Those without braces are the ones announced at the repository's page |
22 |
> [1]. |
23 |
> |
24 |
> My concerns about the current set of supported ways of transfer are: |
25 |
> |
26 |
> * There does not seem to be support for https://. Please add it. |
27 |
> |
28 |
> * Why do we serve Git over git:// and http:// if those are vulnerable |
29 |
> to man-in-the-middle attacks (before having waterproof GPG |
30 |
> protection for whole repositories in place)? |
31 |
> Especially with ebuilds run by root, we cannot afford MITM. |
32 |
> |
33 |
> |
34 |
> So I would like to propose that |
35 |
> |
36 |
> * support for Git access through https:// is activated, |
37 |
> |
38 |
> * Git access through http:// and git:// is deactivated, and |
39 |
> |
40 |
> * the URLs on gitweb.gentoo.org and the Layman registry are |
41 |
> updated accordingly. (Happy to help with the latter.) |
42 |
> |
43 |
> |
44 |
> Thanks for your consideration. |
45 |
> |
46 |
> Best, |
47 |
> |
48 |
> |
49 |
> |
50 |
> Sebastian |
51 |
> |
52 |
> |
53 |
> [1] https://gitweb.gentoo.org/proj/betagarden.git/ |
54 |
> |
55 |
> |
56 |
Doesn't git:// uses SSH wich is secure? I think that was on github. |