Killing plaintext git:// in favor of https:// cloning
Eclipse Webmaster (Denis Roy)
webmaster at eclipse.org
Mon Feb 22 20:57:07 CET 2016
On 22/02/16 02:50 PM, Joe Anakata wrote:
>> Yes, why?
>> What's the point?
>> The repos are public, so cloning them over https bring nothing, except
>> extra overhead and server load.
> While pretty unlikely, in theory someone could MITM a git:// clone and
> send the user a hax0red branch of cgit with integrated botnet which
> the user then compiles and installs on their server.
Everything is possible "in theory" ... But folks really need to stop
thinking that https is the impenetrable solution to everything.
More information about the CGit