On 01/08/2016 04:43 PM, Paul Tagliamonte wrote:
> We still have `git://` all over the place, for instance, on Vcs-Git on
> control files. That makes me sad. Boo insecure transports.
Ben Hutchings posted this not too long ago on Planet Debian:
On Fri, 2016-01-08 at 09:35 -0800, Russ Allbery wrote:
> Moving the goalposts from trivial MITM via a rogue AP to obtaining a
> fradulent SSL certificate is probably not "hard" security, whatever
> that
> means to you, but is a substantial increase the level of work
> required for
> the attacker.
> I'd like to suggest we move all Vcs-Git entries to either `https` or
> `ssh`.
>
As mapreri points out - this is for anon clone, so only https - as I
pointed out in a blog post years ago, ssh is a bad idea :)
http://blog.pault.ag/post/27268910152/usage-of-vcs-git-in-the-debian-archive
--
On Friday, January 08, 2016 10:43:40 AM Paul Tagliamonte wrote:
> Hey devel,
>
> We still have `git://` all over the place, for instance, on Vcs-Git on
> control files. That makes me sad. Boo insecure transports.
>
> `git://` is plaintext, and plaintext transports are bad.
>
> I'd like to
Christoph Anton Mitterer writes:
> On Fri, 2016-01-08 at 10:43 -0500, Paul Tagliamonte wrote:
>> I'd like to suggest we move all Vcs-Git entries to either `https` or
> I doubt https will give any real hard additional security, based on the
> inherent problems of the X.509
Hey devel,
We still have `git://` all over the place, for instance, on Vcs-Git on
control files. That makes me sad. Boo insecure transports.
`git://` is plaintext, and plaintext transports are bad.
I'd like to suggest we move all Vcs-Git entries to either `https` or
`ssh`.
Signing tags is a
Package: lintian
Severity: wishlist
Paul Tagliamonte writes:
> We still have `git://` all over the place, for instance, on Vcs-Git on
> control files. That makes me sad. Boo insecure transports.
>
> `git://` is plaintext, and plaintext transports are bad.
>
> I'd like to
On Fri, Jan 08, 2016 at 10:43:40AM -0500, Paul Tagliamonte wrote:
> Hey devel,
>
> We still have `git://` all over the place, for instance, on Vcs-Git on
> control files. That makes me sad. Boo insecure transports.
>
> `git://` is plaintext, and plaintext transports are bad.
>
> I'd like to
On Fri, 2016-01-08 at 10:43 -0500, Paul Tagliamonte wrote:
> I'd like to suggest we move all Vcs-Git entries to either `https` or
I doubt https will give any real hard additional security, based on the
inherent problems of the X.509 CA system.
Per default, git would take the system CA store,
Good point, and I stand corrected. Thanks!
Let's beat GitHub!
Paul
On Fri, Jan 8, 2016 at 10:47 AM, Andrew Shadura wrote:
> On 08/01/16 16:43, Paul Tagliamonte wrote:
> > `git://` provides no upside and really shouldn't exist anymore. GitHub
> > has even turned it off[1]
>
Hi,
> http://blog.pault.ag/post/27268910152/usage-of-vcs-git-in-the-debian-archive
>
> Enter github.com/debian
>
> – IMHO, we should consider putting the repos that are already on
> GitHub under Debian namespace, so that the team of maintainers
> may be able to add new collaborators.
I'd like to
On 2016-01-08 16:43, Paul Tagliamonte wrote:
Hey devel,
We still have `git://` all over the place, for instance, on Vcs-Git on
control files. That makes me sad. Boo insecure transports.
`git://` is plaintext, and plaintext transports are bad.
I'd like to suggest we move all Vcs-Git entries to
12 matches
Mail list logo