On Sun, 29 Mar 2015 18:41:33 +0200 Sebastian Pipping <sp...@gentoo.org> wrote:
> Hi! > > > For the current Gentoo Git setup I found these methods working for > accessing a repository, betagarden in this case: > > git://anongit.gentoo.org/proj/betagarden.git > (git://git.gentoo.org/proj/betagarden.git) > (git://git.overlays.gentoo.org/proj/betagarden.git) > > http://anongit.gentoo.org/git/proj/betagarden.git > > (http://cgit.gentooexperimental.org/proj/betagarden.git) > > git+ssh://g...@git.gentoo.org/proj/betagarden.git > (git+ssh://g...@git.overlays.gentoo.org/proj/betagarden.git) > > Those without braces are the ones announced at the repository's page > [1]. > > My concerns about the current set of supported ways of transfer are: > > * There does not seem to be support for https://. Please add it. > > * Why do we serve Git over git:// and http:// if those are vulnerable > to man-in-the-middle attacks (before having waterproof GPG > protection for whole repositories in place)? > Especially with ebuilds run by root, we cannot afford MITM. > > > So I would like to propose that > > * support for Git access through https:// is activated, > > * Git access through http:// and git:// is deactivated, and > > * the URLs on gitweb.gentoo.org and the Layman registry are > updated accordingly. (Happy to help with the latter.) > > > Thanks for your consideration. > > Best, > > > > Sebastian > > > [1] https://gitweb.gentoo.org/proj/betagarden.git/ > > Doesn't git:// uses SSH wich is secure? I think that was on github.
