Xen project Mailing List

Re: [PATCH] Replace git:// and http:// with https://

From: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>

Date: Mon, 6 Feb 2023 22:34:55 -0500

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>, Samuel Thibault <samuel.thibault@xxxxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

Delivery-date: Tue, 07 Feb 2023 03:35:16 +0000

Feedback-id: iac594737:Fastmail

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Feb 06, 2023 at 07:27:05PM -0800, Elliott Mitchell wrote: > On Mon, Feb 06, 2023 at 10:10:33PM -0500, Demi Marie Obenour wrote: > > Obtaining code over an insecure transport is a terrible idea for > > blatently obvious reasons. Even for non-executable data, insecure > > transports are considered deprecated. > > I completely agree with the premise, but I would suggest the better > approach to removing use of git:// is to instead require signing of > commits. I fully support requiring commit signing, but I don’t consider commit signing to be a replacement for transport encryption. I also strongly recommend using SSH, not GPG, for commit signing: it is vastly easier to use and the attack surface is much, much smaller. > I'm also under the impression git can use TLS, though I'm > unsure whether gits:// works (and what revision of git is required). git uses TLS via HTTPS. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.