> > For my own servers I would turn off the HTTP protocol for push/pull > anyway... >
Why? > I like to have http only for the Gitorious web interface. I can open > only SSH and HTTP ports in the router and require login to the web > interface. I use this setup to for my private data. > You can protect HTTP push the same way. The way it's currently implemented (thanks to JGit's fantastic API), you can basically provide a separate security handler for HTTP(S) push - or even accept push through a different host name (which can be protected by a firewall and so on). > > Besides... I kind of trust SSH more than anything else in this world... > I will have a hard time deciding to allow any other push protocol in my > own servers... > I'd argue that the HTTPS approach actually has better security. It's very restricted, does not require a privileged/dedicated user to log in to the server, and is built for this one purpose only. If you have specific security concerns, please share. Christian -- To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected]
