While we're on the subject of git security...should we stop recommending
that non-account-holders use git:// (most efficient, but insecure
against MITM unless you manually check the commit number) in preference
to https:// (at least some security)?
https://wiki.debian.org/Alioth/Git#Accessing_repositories
Any suggestions for persuading upstreams to care about these issues?
Mine has no https on the repository (though they do on the release
tarballs), no signed anything, and have not responded to me pointing out
that this is a security hole:
https://bugs.freedesktop.org/show_bug.cgi?id=89682
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/55631103.3020...@zoho.com
