[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-users] SSL cert for git0.savannah.gnu.org: wrong host
|
From: |
Marcus Müller |
|
Subject: |
Re: [Savannah-users] SSL cert for git0.savannah.gnu.org: wrong host |
|
Date: |
Wed, 09 Aug 2017 07:55:49 +0200 |
|
User-agent: |
K-9 Mail for Android |
Hi Bob,
Thank you very much for fixing all this on such short notice! :)
Best regards,
Marcus
On 9 August 2017 2:13:58 AM GMT+02:00, Bob Proulx <address@hidden> wrote:
>Hi Marcus,
>
>> > Where did you see git0.savannah.gnu.org documented so that this may
>be
>> > corrected?
>>
>> I got that URL from the gitweb instance [1] that the autoconf
>savannah
>> page [2] points to.
>
>> http://git.savannah.gnu.org/gitweb/?p=autoconf.git
>
>Aha! We look at these pages all of the time and after a while the
>details all blur together. That should have been fixed last December!
>That was set that way during turn-on of the new server image and
>should never have escaped into production.
>
>Thank you for letting us know. I have fixed it now. I also removed
>the DNS alias too so that it can't be used moving forward.
>
>> Admittedly, the savannah page itself has a non-TLS variant of the
>URL:
>>
>> git clone http://git.sv.gnu.org/r/autoconf.git
>
>Right. You may use either. However the https is recommended. But we
>don't prevent people from using the http or git protocols. For some
>those are the only ones they can easily get to.
>
>> but: non-TLS http for source code distribution felt like it shouldn't
>be
>> the recommended way, so I payed no further attention to that
>http://...
>> URL, and just clicked through to the webgit to figure out a way of
>> cloning that would allow to check authenticity of the remote!
>
>You may use either. And of course people should always check gpg
>signatures to verify the validity of downloaded bits regardless of the
>protocol.
>
>Bob
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.