On Mon, Jun 24, 2013 at 03:35:19PM -0700, Junio C Hamano wrote:
> > I don't understand this. How is git:// insecure?
> If your DNS is poisoned, or your router is compromised to allow your
> traffic diverted, you may be fetching from somewhere you did not
> intend to. As I explained in a separate message, that does not
> necessarily result in your repository corrupting, but the result,
> even though it may be "git fsck" clean at the bit level, needs
> additional validation measure, such as signed tags, to be safely
> used to base your further work on top.
Thanks for the explanation. Of course you need to verify your latest
commit sha1 against a trustworthy source. That would be enough to
prevent this scenario, yes?
If we add warnings for git:// should we also add warnings for
http://? Or do we consider that common knowledge?
Med vänliga hälsningar
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html