[savannah-help-public] [sr #109093] Support and require cloning via https:// instead of git://, http://, svn://, or other insecure transport

[anonymous]

URL:
  <http://savannah.gnu.org/support/?109093>

                 Summary: Support and require cloning via https:// instead of
git://, http://, svn://, or other insecure transport
                 Project: Savannah Administration
            Submitted by: None
            Submitted on: Wed 13 Jul 2016 10:25:24 PM UTC
                Category: Source code repositories - anonymous access
                Priority: 5 - Normal
                Severity: 6 - Security
                  Status: None
             Assigned to: None
        Originator Email: address@hidden
        Operating System: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

Due to man-in-the-middle attacks, the only secure ways to clone a repository
are HTTPS and SSH.  git://, http://, svn://, and others are all insecure.

However, Savannah recommends cloning via the insecure git:// protocol, and
indeed it is not even possible to clone via the secure https:// protocol in
many cases!  This is a security risk (remote execution of arbitrary code) for
anyone who does an anonymous checkout of any project over an insecure means of
transport.

Git (at least) provides a smart HTTP(S) server, which is much faster than the
old "dumb HTTP" transport, and roughly as fast as SSH.  Performance of the
git:// protocal is irrelevant as it is insecure.

The result for me is that I am not able to use the Git master of binutils-gdb
to debug my Rust programs, among other problems.




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?109093>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/