Killing plaintext git:// in favor of https:// cloning
Eclipse Webmaster (Denis Roy)
webmaster at eclipse.org
Mon Feb 22 20:57:07 CET 2016
On 22/02/16 02:50 PM, Joe Anakata wrote:
>> Yes, why?
>> What's the point?
>>
>> The repos are public, so cloning them over https bring nothing, except
>> extra overhead and server load.
> While pretty unlikely, in theory someone could MITM a git:// clone and
> send the user a hax0red branch of cgit with integrated botnet which
> the user then compiles and installs on their server.
>
Everything is possible "in theory" ... But folks really need to stop
thinking that https is the impenetrable solution to everything.
More information about the CGit
mailing list