Security in this case is about being sure everyone gets exactly the
same repository as stored on the server, without any modifications to
the sources cased by MITM.

As for "smart" http, this seems pretty much cool.However, we're
currently using lighthttpd, so it might be an issue. We'll check on
whether "smart" http is used there, and if not guess it wouldn't be a
big deal to switch to apache.

On Fri, Dec 27, 2013 at 8:20 PM, Matthieu Moy
<> wrote:
> Andreas Schwab <> writes:
>> Sergey Sharybin <> writes:
>>> So guess we just need to recommend using https:// protocol instead of
>>> git:// for our users?
>> Given how easy it is to verify the integrity of a git repository out of
>> band there isn't really much of added security by using TLS for
>> transport.
> You can verify integrity after the fact, but not guarantee
> confidentiality ... so it again depends on the definition of "security".
> --
> Matthieu Moy

With best regards, Sergey Sharybin
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to
More majordomo info at

Reply via email to