Hey devel, We still have `git://` all over the place, for instance, on Vcs-Git on control files. That makes me sad. Boo insecure transports.
`git://` is plaintext, and plaintext transports are bad. I'd like to suggest we move all Vcs-Git entries to either `https` or `ssh`. Signing tags is a good step, yes, but there will always be unsigned contents at the head of the branch, and users won't always check them when cloning a package locally. I'm sure some DDs out there will even debcheckout and upload after checking a `git diff` rather than a `debdiff`, because git never lies, right? Not everyone pulls down the package and uses debdiff, and it only takes one mistake to own systems. `git://` provides no upside and really shouldn't exist anymore. GitHub has even turned it off[1] Are we going to let GitHub do best practices better than Debian? Hello no! Let's do this. There's no downside, and `git://` provides no value. Let's kill it from the archive. Plus, `git://` is super blocked by port in a bunch of places `https` isn't. So there's that. Cheers, Paul [1]: https://github.com/blog/809-git-dumb-http-transport-to-be-turned-off-in-90-days
signature.asc
Description: PGP signature
