On Fri, 2011-06-24 at 22:05 +0200, Christian Johansen wrote: > For my own servers I would turn off the HTTP protocol for > push/pull > anyway... > > Why?
Explanation is below here: > > I like to have http only for the Gitorious web interface. I > can open > only SSH and HTTP ports in the router and require login to the > web > interface. I use this setup to for my private data. > > You can protect HTTP push the same way. The way it's currently > implemented (thanks to JGit's fantastic API), you can basically > provide a separate security handler for HTTP(S) push - or even accept > push through a different host name (which can be protected by a > firewall and so on). I want to protect both push and pull... easier to just turn it off... For data I need to publish I don't use my own servers... I strongly believe that most, if not all, software project would benefit from being published. But most of the data I have in my private/corp git repositories are not even software projects. So my use may not be representative for what the Gitorious project aims for. However I think that lots of private Gitorious servers contain data that the owners think may be worth protecting. > > > Besides... I kind of trust SSH more than anything else in this > world... > I will have a hard time deciding to allow any other push > protocol in my > own servers... > > I'd argue that the HTTPS approach actually has better security. It's > very restricted, does not require a privileged/dedicated user to log > in to the server, and is built for this one purpose only. If you have > specific security concerns, please share. The https solution is not mature in the same way as the ssh solution. SSH has protected Unix/Linux boxes for ages. Software built for one purpose only is not exposed to the same range of threats and is therefore maturing slower... ssh has been THE target of hacking attempts since the protocol was first specified back in the 90ies. I don't understand why you are concerned about the dedicated git user account... just lock it down properly. You have exactly the same situation on every ssh server on the planet. Please keep the SSH and Git protocols at least until it is dropped by the git project (which hopefully will never happen). And I also saw concerns about JGit and writing to the repos. I think all writing to the repos should be done using code from the git project. Martin > > Christian > > > -- > To post to this group, send email to gitorious@googlegroups.com > To unsubscribe from this group, send email to > gitorious+unsubscr...@googlegroups.com -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
