Re: [Xen-devel] [PATCH 2/2] MAINTAINERS: use https for git trees

[Ian Jackson <ian.jackson@xxxxxxxxxx>]

Wei Liu writes ("Re: [PATCH 2/2] MAINTAINERS: use https for git trees"):
> On Tue, Jul 10, 2018 at 02:36:49AM -0600, Jan Beulich wrote:
> > On 10.07.18 at 10:15, <wei.liu2@xxxxxxxxxx> wrote:
> > > Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx>
> > 
> > What's wrong with git:// ? I think the commit message should be non-
> > empty here.
> 
> git: is not encrypted, while https: is. At this time of age, it is
> better to use encryption as much as possible.

I agree with this change, so

Acked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>


Let me expand on Wei's reasons:

The git protocol is not just unencrypted, but also unauthenticated.
In theory it is possible to verify the signed tags for actual
releases, but that is a cumbersome process which I very much doubt
anyone really does.

As for the various branch tips, there is currently no way (unless you
have a shell account on xenbits) to get any kind of authenticated
value.

Conversely, if you use an https url, you get some cryptographic
authentication of what you are cloning.  The crypto there is far from
perfect but it is massively better than nothing.


Additionally, in general, using and supporting https also means that
*what users are accessing* is encrypted.  This enhances user privacy.
In the specific case of the git trees on xenbits this is a very minor
consideration.


Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel