On Mon, May 25, 2015 at 11:38:06AM -0700, Josh Triplett wrote: > > While we're on the subject of git security...should we stop > > recommending that non-account-holders use git:// (most efficient, but > > insecure against MITM unless you manually check the commit number) in > > preference to https:// (at least some security)? > > https://wiki.debian.org/Alioth/Git#Accessing_repositories > > https:// is actually just as efficient as git:// these days (other than the > minor overhead of TLS, which is worth it for security).
Why? Which attack do you envision (other than the ridiculous "the NSA would see that we're pushing!", which they can by just doing a git clone too) that would be thwarted by https but not by signed commits? -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150527080835.ga20...@grep.be
