Our sysadmns are mainly worried about possible MITM which might give
users completely wrong repo.

For sure users might simply compare hash of HEAD from https'ed site
with repo browser with what they've got in the checkout. But that's an
extra step which we'd like to avoid without security harm :)

On Fri, Dec 27, 2013 at 8:12 PM, Andreas Schwab <sch...@linux-m68k.org> wrote:
> Sergey Sharybin <sergey....@gmail.com> writes:
>> So guess we just need to recommend using https:// protocol instead of
>> git:// for our users?
> Given how easy it is to verify the integrity of a git repository out of
> band there isn't really much of added security by using TLS for
> transport.
> Andreas.
> --
> Andreas Schwab, sch...@linux-m68k.org
> GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
> "And now for something completely different."

With best regards, Sergey Sharybin
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to