On Tue, 17 Feb 2015 00:53, h...@barrera.io said: > git://github.com...", since any malicious attacker can intercept that > communication. There's no checksuming or anything to make this difficult *at > all*. > > What *does* suprise me is that there's a commit to specifically remove git+ssh > in favour of insecure ssh. There's no comment on why that was done either:
[I assume you meant "insecure git"] I do not think that it matters whether you pull using the git or the ssh protocol. In both cases an active attacker can intercept the traffic easily. Virtually nobody checks ssh host keys and how should they do it given that I can't find its fingerprint easily on github. Thus you would only see the "host key changed" warning in case this is not the first time you connected to this github project (I assume they use different host keys per project). After all it is not different from downloading tarballs - only 10 to 20% of all downloads also download the signature file and for most projects there is no signature file. For gnupg.org we assume that users of the repos closely watch out for conflicts and verify the latest release tag. If there is a problem that should be reported to a mailing-list (after verification that it is really a conflict). git meanwhile allows to sign commits. If anyone knows a method to set a different key for tagging and commits, I would soon start to sign each commit. I use a smartcard based key for tagging but won't use that for regular commits. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users