On Tue, 2021-11-02 at 08:16 -0700, Khem Raj wrote: > Can we change bitbake fetcher to default to https instead git > anonymous protocol as fallback? this will be good security measure > too.
Some servers out there (e.g. our own git.yoctoproject.org) have slightly different git and https urls so this isn't as simple as you'd think. The security offered by https isn't as great as it first sounds when you consider most of our recipes do have the revisions coded into them so whilst you can break into a protocol stream, you do also have to correctly spoof the revision too which is much harder. As such, only floating SRCREV recipes are at risk from the connection encryption in our case. Whether we should switch more of our urls over to https is a different question. There is an open bug asking for this to happen for all the git.yoctoproject.org urls since https is easier on firewalls but I've never really wanted to do make the change, believing that people do need to get their network setup correctly anyway. I did also think that the git protocol could be more efficient in some cases although how true that is now I'm not sure. github is a little different in that they don't use the standard git server code so the optimisations there are different. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1338): https://lists.openembedded.org/g/openembedded-architecture/message/1338 Mute This Topic: https://lists.openembedded.org/mt/86675927/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
