URL:
<http://savannah.gnu.org/support/?109093>
Summary: Support and require cloning via https:// instead of
git://, http://, svn://, or other insecure transport
Project: Savannah Administration
Submitted by: None
Submitted on: Wed 13 Jul 2016 10:25:24 PM UTC
Category: Source code repositories - anonymous access
Priority: 5 - Normal
Severity: 6 - Security
Status: None
Assigned to: None
Originator Email: demioben...@gmail.com
Operating System: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
Due to man-in-the-middle attacks, the only secure ways to clone a repository
are HTTPS and SSH. git://, http://, svn://, and others are all insecure.
However, Savannah recommends cloning via the insecure git:// protocol, and
indeed it is not even possible to clone via the secure https:// protocol in
many cases! This is a security risk (remote execution of arbitrary code) for
anyone who does an anonymous checkout of any project over an insecure means of
transport.
Git (at least) provides a smart HTTP(S) server, which is much faster than the
old "dumb HTTP" transport, and roughly as fast as SSH. Performance of the
git:// protocal is irrelevant as it is insecure.
The result for me is that I am not able to use the Git master of binutils-gdb
to debug my Rust programs, among other problems.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?109093>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
