"Jason A. Donenfeld" <[email protected]> wrote: > Now that git.zx2c4.com runs over HTTPS, I'm considering getting rid of > the plaintext git:// endpoint for cloning.
> Does anybody have any objections or comments? I suggest keeping git:// running as automated mirrors may not be monitored very closely or easily updated. git already has plenty of integrity checking built-in and getting the proper hashes for the heads/tags over a trusted-enough medium is enough (or reading the fine code). And as others have said, HTTPS isn't impenetrable and the CA system is still a major problem. Also, TLS libraries can introduce new bugs and vulnerabilities like Heartbleed. Quoting from http://www.postfix.org/TLS_README.html | By turning on TLS support in Postfix, you not only get the | ability to encrypt mail and to authenticate remote SMTP clients | or servers. You also turn on thousands and thousands of lines of | OpenSSL library code. Assuming that OpenSSL is written as | carefully as Wietse's own code, every 1000 lines introduce one | additional bug into Postfix. Something to keep in mind :) _______________________________________________ CGit mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/cgit
