Despite of all you're talking about is right from paranoid point of view, I'd, anyway, say "DO NOT DO THAT", because you propose to revoke the right of choice from the users.
It is user's decision, which protocol to use to fetch the sources. Although, you're, of course, free to make layman to fetch "official" repos from https, but not http/git protocols by default. Moreover, there are some times where it is impossible to fetch sources via "secure" way, but you need it right here and right now. В письме от Вс, 29 марта 2015 18:41:33 пользователь Sebastian Pipping написал: > Hi! > > > For the current Gentoo Git setup I found these methods working for > accessing a repository, betagarden in this case: > > git://anongit.gentoo.org/proj/betagarden.git > (git://git.gentoo.org/proj/betagarden.git) > (git://git.overlays.gentoo.org/proj/betagarden.git) > > http://anongit.gentoo.org/git/proj/betagarden.git > > (http://cgit.gentooexperimental.org/proj/betagarden.git) > > git+ssh://g...@git.gentoo.org/proj/betagarden.git > (git+ssh://g...@git.overlays.gentoo.org/proj/betagarden.git) > > Those without braces are the ones announced at the repository's page [1]. > > My concerns about the current set of supported ways of transfer are: > > * There does not seem to be support for https://. Please add it. > > * Why do we serve Git over git:// and http:// if those are vulnerable > to man-in-the-middle attacks (before having waterproof GPG > protection for whole repositories in place)? > Especially with ebuilds run by root, we cannot afford MITM. > > > So I would like to propose that > > * support for Git access through https:// is activated, > > * Git access through http:// and git:// is deactivated, and > > * the URLs on gitweb.gentoo.org and the Layman registry are > updated accordingly. (Happy to help with the latter.) > > > Thanks for your consideration. > > Best, > > > > Sebastian > > > [1] https://gitweb.gentoo.org/proj/betagarden.git/ -- Best regards, mva
signature.asc
Description: This is a digitally signed message part.
