On Tue, Nov 2, 2021 at 10:32 AM Richard Purdie <[email protected]> wrote: > > On Tue, 2021-11-02 at 08:16 -0700, Khem Raj wrote: > > Can we change bitbake fetcher to default to https instead git > > anonymous protocol as fallback? this will be good security measure > > too. > > Some servers out there (e.g. our own git.yoctoproject.org) have slightly > different git and https urls so this isn't as simple as you'd think. > > The security offered by https isn't as great as it first sounds when you > consider most of our recipes do have the revisions coded into them so whilst > you > can break into a protocol stream, you do also have to correctly spoof the > revision too which is much harder. As such, only floating SRCREV recipes are > at > risk from the connection encryption in our case.
I understand that, however, the reality is that organizations have IT teams which are catering to a wider set of security needs and have been proactively moving to use https, in this case, it reduces friction more than anything else. Regardless of github switching to https it's also pretty much a given that other organizations will do so or are already doing it. > > Whether we should switch more of our urls over to https is a different > question. > There is an open bug asking for this to happen for all the > git.yoctoproject.org > urls since https is easier on firewalls but I've never really wanted to do > make > the change, believing that people do need to get their network setup correctly > anyway. I did also think that the git protocol could be more efficient in some > cases although how true that is now I'm not sure. github is a little different > in that they don't use the standard git server code so the optimisations there > are different. added layers by https might slow down sure but by how much ? and then is this price that is worth paying is the question. > > Cheers, > > Richard > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1339): https://lists.openembedded.org/g/openembedded-architecture/message/1339 Mute This Topic: https://lists.openembedded.org/mt/86675927/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
