Hi Marcus, > > Where did you see git0.savannah.gnu.org documented so that this may be > > corrected? > > I got that URL from the gitweb instance  that the autoconf savannah > page  points to.
> http://git.savannah.gnu.org/gitweb/?p=autoconf.git Aha! We look at these pages all of the time and after a while the details all blur together. That should have been fixed last December! That was set that way during turn-on of the new server image and should never have escaped into production. Thank you for letting us know. I have fixed it now. I also removed the DNS alias too so that it can't be used moving forward. > Admittedly, the savannah page itself has a non-TLS variant of the URL: > > git clone http://git.sv.gnu.org/r/autoconf.git Right. You may use either. However the https is recommended. But we don't prevent people from using the http or git protocols. For some those are the only ones they can easily get to. > but: non-TLS http for source code distribution felt like it shouldn't be > the recommended way, so I payed no further attention to that http://... > URL, and just clicked through to the webgit to figure out a way of > cloning that would allow to check authenticity of the remote! You may use either. And of course people should always check gpg signatures to verify the validity of downloaded bits regardless of the protocol. Bob