Security in this case is about being sure everyone gets exactly the same repository as stored on the server, without any modifications to the sources cased by MITM.
As for "smart" http, this seems pretty much cool.However, we're currently using lighthttpd, so it might be an issue. We'll check on whether "smart" http is used there, and if not guess it wouldn't be a big deal to switch to apache. On Fri, Dec 27, 2013 at 8:20 PM, Matthieu Moy <matthieu....@grenoble-inp.fr> wrote: > Andreas Schwab <sch...@linux-m68k.org> writes: > >> Sergey Sharybin <sergey....@gmail.com> writes: >> >>> So guess we just need to recommend using https:// protocol instead of >>> git:// for our users? >> >> Given how easy it is to verify the integrity of a git repository out of >> band there isn't really much of added security by using TLS for >> transport. > > You can verify integrity after the fact, but not guarantee > confidentiality ... so it again depends on the definition of "security". > > -- > Matthieu Moy > http://www-verimag.imag.fr/~moy/ -- With best regards, Sergey Sharybin -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
