On 06 Feb 2022 14:59, Alex Ameen wrote: > Hey, I can't claim to be an expert about this category of vulnerability; > but I appreciate you raising this concern.
it requires more than a MITM to be successful. you'd also have to come up with a sha1 collision which is non-trivial for most people. not out of the reach of nation states, but we prob aren't the target market :p. i'm not against changing to https of course, just providing a bit more color. > So is your recommendation to use > https://git.savannah.gnu.org/git/gnulib.git instead of > git://git.sv.gnu.org/gnulib.git? i'll note that just about every GNU project utilizes gnulib is using the git:// style. looks like gnulib itself only changed its advice about a year ago. http://git.savannah.gnu.org/cgit/gnulib.git/commit/?h=b7da35aebaeece97dd8946072952979bb67f8db2 -mike
signature.asc
Description: PGP signature
