On 22/02/16 19:16, Jason A. Donenfeld wrote: >> Now that git.zx2c4.com runs over HTTPS, I'm considering getting rid of >> the plaintext git:// endpoint for cloning.
Ferry Huberts Proclaimed Thus: >Yes, why? >What's the point? > >The repos are public, so cloning them over https bring nothing, except >extra overhead and server load. While pretty unlikely, in theory someone could MITM a git:// clone and send the user a hax0red branch of cgit with integrated botnet which the user then compiles and installs on their server. Not sure if the extra server load is worth it to defend against this case or not. (Also, presumably the server is using the cgit smart http endpoint so https clone is not much additional DATA, just the ssl handshake; but definitely additional cpu for crypto operations.) Thanks -Joe _______________________________________________ CGit mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/cgit
