On Fri, 2016-10-07 at 22:16 -0400, Mike Gerwitz wrote: > On Mon, Sep 19, 2016 at 12:30:03 +0200, Hanno Böck wrote: > > *The code repositories* > > > > Now all of the above can be aleviated a bit if a user carefully uses > > https all the time manually or uses a plugin like https everywhere. But > > even more worrying is that there is no way to access the savannah git > > repositories in a secure way for anonymous users. > > > > If you look at a repository site like this: > > http://savannah.gnu.org/git/?group=patch > > > > There are two ways to clone the repo: Over the git:// protocol, which > > is plaintext and insecure, and over ssh, which is only available if you > > have a savannah account and are a member of that project. Therefore for > > all people that are not part of a project there is no secure way of > > getting the git code.
Most replies seem to be concentrating on the Savannah web page, but personally I think this lack of any ability to retrieve source via a secure channel, even one wanted to, is a much bigger issue. Maybe we can concentrate on what it would take to solve this problem immediately, and leave the less clear-cut issues for later?
