Re: [Savannah-hackers-public] git over https

[Bob Proulx]

Paul Smith wrote:
> Leo Famulari wrote:
> > Bob Proulx wrote:
> > > Paul Smith wrote:
> > > > The current one works fine for me except that I really want HTTPS
> > > > support, which the current server doesn't provide.
> > > 
> > > First let me ask why you want https access?  It is terribly slow.  You
> > > are a member and can use ssh.  Why not use ssh access?  There is no
> > > advantage to using https over ssh but there are many disadvantages.
> > > It is really only a last ditch fallback method.
> 
> Sorry Bob, somehow I either never got or accidentally deleted your
> reply :(.

Yep.  My mail.  Right into the spam folder. :-)

> The access is not for me; I do indeed use SSH.  As Leo points out the
> access is for anonymous read-only access that is secure and proof
> against MitM attacks.

Thorsten Glaser poked us in relation to deprecating the cvs pserver
support to use anonymous ssh (traditionally anoncvs) for this type of
access.  See https://www.openbsd.org/papers/anoncvs-slides.pdf .  What
would you think of using anonymous instead?  I think that would be a
superior way to go.

And for everyone else please consider the ramifications of allowing
empty passwords.  In particular is there a PAM configuration for empty
passwords for only a single user rather than globally?  If you already
have a secure setup for this please let me know.  (I already know how
to configure sshd for "Match User anonymous; PermitEmptyPasswords yes"
for just one user.  But I am not well versed with PAM configuration.)

> I'm not asking for _authenticated_ HTTPS support, just anonymous access
> over HTTPS.  More straightforwardly, I'm looking for HTTPS as an
> alternative to our current HTTP support, not an alternative to our
> current SSH support.

Whew!  You had me worried there.  But I think many people are looking
for it as an ssh replacement.  In an attempt to do 100% of everything
over https.

Bob