[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 2/2] MAINTAINERS: use https for git trees

Wei Liu writes ("Re: [PATCH 2/2] MAINTAINERS: use https for git trees"):
> On Tue, Jul 10, 2018 at 02:36:49AM -0600, Jan Beulich wrote:
> > On 10.07.18 at 10:15, <wei.liu2@xxxxxxxxxx> wrote:
> > > Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx>
> > 
> > What's wrong with git:// ? I think the commit message should be non-
> > empty here.
> git: is not encrypted, while https: is. At this time of age, it is
> better to use encryption as much as possible.

I agree with this change, so

Acked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>

Let me expand on Wei's reasons:

The git protocol is not just unencrypted, but also unauthenticated.
In theory it is possible to verify the signed tags for actual
releases, but that is a cumbersome process which I very much doubt
anyone really does.

As for the various branch tips, there is currently no way (unless you
have a shell account on xenbits) to get any kind of authenticated

Conversely, if you use an https url, you get some cryptographic
authentication of what you are cloning.  The crypto there is far from
perfect but it is massively better than nothing.

Additionally, in general, using and supporting https also means that
*what users are accessing* is encrypted.  This enhances user privacy.
In the specific case of the git trees on xenbits this is a very minor


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.