Re: Death to git://! Long live git://!

On 01/08/2016 04:43 PM, Paul Tagliamonte wrote: > We still have `git://` all over the place, for instance, on Vcs-Git on > control files. That makes me sad. Boo insecure transports. Ben Hutchings posted this not too long ago on Planet Debian:

Re: Death to git://! Long live git://!

On Fri, 2016-01-08 at 09:35 -0800, Russ Allbery wrote: > Moving the goalposts from trivial MITM via a rogue AP to obtaining a > fradulent SSL certificate is probably not "hard" security, whatever > that > means to you, but is a substantial increase the level of work > required for > the attacker.

Re: Death to git://! Long live git://!

> I'd like to suggest we move all Vcs-Git entries to either `https` or > `ssh`. > As mapreri points out - this is for anon clone, so only https - as I pointed out in a blog post years ago, ssh is a bad idea :) http://blog.pault.ag/post/27268910152/usage-of-vcs-git-in-the-debian-archive --

Re: Death to git://! Long live git://!

On Friday, January 08, 2016 10:43:40 AM Paul Tagliamonte wrote: > Hey devel, > > We still have `git://` all over the place, for instance, on Vcs-Git on > control files. That makes me sad. Boo insecure transports. > > `git://` is plaintext, and plaintext transports are bad. > > I'd like to

Re: Death to git://! Long live git://!

Christoph Anton Mitterer writes: > On Fri, 2016-01-08 at 10:43 -0500, Paul Tagliamonte wrote: >> I'd like to suggest we move all Vcs-Git entries to either `https` or > I doubt https will give any real hard additional security, based on the > inherent problems of the X.509

Death to git://! Long live git://!

Hey devel, We still have `git://` all over the place, for instance, on Vcs-Git on control files. That makes me sad. Boo insecure transports. `git://` is plaintext, and plaintext transports are bad. I'd like to suggest we move all Vcs-Git entries to either `https` or `ssh`. Signing tags is a

Bug#810378: lintian: suggest to use https:// over git:// (was: Re: Death to git://! Long live git://!)

Package: lintian Severity: wishlist Paul Tagliamonte writes: > We still have `git://` all over the place, for instance, on Vcs-Git on > control files. That makes me sad. Boo insecure transports. > > `git://` is plaintext, and plaintext transports are bad. > > I'd like to

Re: Death to git://! Long live git://!

On Fri, Jan 08, 2016 at 10:43:40AM -0500, Paul Tagliamonte wrote: > Hey devel, > > We still have `git://` all over the place, for instance, on Vcs-Git on > control files. That makes me sad. Boo insecure transports. > > `git://` is plaintext, and plaintext transports are bad. > > I'd like to

Re: Death to git://! Long live git://!

On Fri, 2016-01-08 at 10:43 -0500, Paul Tagliamonte wrote: > I'd like to suggest we move all Vcs-Git entries to either `https` or I doubt https will give any real hard additional security, based on the inherent problems of the X.509 CA system. Per default, git would take the system CA store,

Re: Death to git://! Long live git://!

Good point, and I stand corrected. Thanks! Let's beat GitHub! Paul On Fri, Jan 8, 2016 at 10:47 AM, Andrew Shadura wrote: > On 08/01/16 16:43, Paul Tagliamonte wrote: > > `git://` provides no upside and really shouldn't exist anymore. GitHub > > has even turned it off[1] >

Re: Death to git://! Long live git://!

Hi, > http://blog.pault.ag/post/27268910152/usage-of-vcs-git-in-the-debian-archive > > Enter github.com/debian > > – IMHO, we should consider putting the repos that are already on > GitHub under Debian namespace, so that the team of maintainers > may be able to add new collaborators. I'd like to

Re: Death to git://! Long live git://!

On 2016-01-08 16:43, Paul Tagliamonte wrote: Hey devel, We still have `git://` all over the place, for instance, on Vcs-Git on control files. That makes me sad. Boo insecure transports. `git://` is plaintext, and plaintext transports are bad. I'd like to suggest we move all Vcs-Git entries to