Leo Famulari wrote: > The advantage of HTTPS compared to SSH is that it can be used > anonymously, without setting up a Savannah account. Currently, users who > wish to fetch source code from Savannah using an authenticated protocol > must create a Savannah account. This is inconvenient for casual users.
I am sympathetic. And as you know we are heading toward https everywhere that https can be used. However you would not believe how many things need significant effort in order to get there. Because over the decades the collection of services that is Savannah has acquired quite a few features and warts. Just git itself has moved back and forth a half dozen times and been reverted due to showstopper problems due to previously unknown conflicts. It seemed a lot simpler to me too before I became sucked into the machinery. :-) > I bet that most of them use the unauthenticated HTTP or Git protocols > and are vulnerable to man-in-the-middle attacks and eavesdropping. Certainly it is vulnerable to easedropping. And to some extent https metadata is also vulnerable too. And since all of the hosted projects that might be downloaded is available to anyone I think that even with https it is possible for a well funded attacker with access to the metadata to know what someone has downloaded. But with git using SHA1 hashes for everything I think it would be quite the challenge to produce a viable modification attack. (However I acknowledge that some of the proof of concept attacks for other attacks that I have looked at have quite surprised me by the cleverness used and that they did work.) > For this reason, I would not call HTTPS a fallback method, but > rather in the same class as SSH. I disagree. I don't think https is in the same league here. But that doesn't mean I am trying to stop https. Far from it. I have put in a lot of time trying to get everything moving forward. It is available now. > > git clone https://git0.savannah.gnu.org/git/emacs.git > > Cloning into 'emacs'... > > ... takes about twenty minutes with no output on my network ... > > I think this is a regression from the old Savannah server. The old > server appears to use the so-called "smart HTTP" Git protocol [0], which > provides informative output while it is working. On the other hand, the > "dumb HTTP" Git protocol [1] does not provide any output. Drat! This does appear to be a regression. In your opinion is that enough of a regression to warrent reverting (once again) the git service back to the old server? Of course that means another IP address change thrash for people who have ssh configured to watch such things. And more delay in getting things moved. Sigh. > It takes me ~40 seconds to clone the Guix Git repository from > <https://git0.savannah.gnu.org/git/guix.git>. To me, that's pretty fast > for an 83 MB download. And it's the same speed as cloning over SSH from > the old server. Of course I chose Emacs because it has a large repository of about 275M and my network is probably slower. :-) Bob
