[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[savannah-help-public] [sr #109093] Support and require cloning via http
From: |
anonymous |
Subject: |
[savannah-help-public] [sr #109093] Support and require cloning via https:// instead of git://, http://, svn://, or other insecure transport |
Date: |
Wed, 13 Jul 2016 22:25:28 +0000 (UTC) |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 |
URL:
<http://savannah.gnu.org/support/?109093>
Summary: Support and require cloning via https:// instead of
git://, http://, svn://, or other insecure transport
Project: Savannah Administration
Submitted by: None
Submitted on: Wed 13 Jul 2016 10:25:24 PM UTC
Category: Source code repositories - anonymous access
Priority: 5 - Normal
Severity: 6 - Security
Status: None
Assigned to: None
Originator Email: address@hidden
Operating System: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
Due to man-in-the-middle attacks, the only secure ways to clone a repository
are HTTPS and SSH. git://, http://, svn://, and others are all insecure.
However, Savannah recommends cloning via the insecure git:// protocol, and
indeed it is not even possible to clone via the secure https:// protocol in
many cases! This is a security risk (remote execution of arbitrary code) for
anyone who does an anonymous checkout of any project over an insecure means of
transport.
Git (at least) provides a smart HTTP(S) server, which is much faster than the
old "dumb HTTP" transport, and roughly as fast as SSH. Performance of the
git:// protocal is irrelevant as it is insecure.
The result for me is that I am not able to use the Git master of binutils-gdb
to debug my Rust programs, among other problems.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?109093>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [savannah-help-public] [sr #109093] Support and require cloning via https:// instead of git://, http://, svn://, or other insecure transport,
anonymous <=