On Fri, 2016-01-08 at 09:35 -0800, Russ Allbery wrote:
> Moving the goalposts from trivial MITM via a rogue AP to obtaining a
> fradulent SSL certificate is probably not "hard" security, whatever
> that
> means to you, but is a substantial increase the level of work
> required for
> the attacker.
W
On 01/08/2016 04:43 PM, Paul Tagliamonte wrote:
> We still have `git://` all over the place, for instance, on Vcs-Git on
> control files. That makes me sad. Boo insecure transports.
Ben Hutchings posted this not too long ago on Planet Debian:
http://womble.decadent.org.uk/blog/securing-debcheckout
Christoph Anton Mitterer writes:
> On Fri, 2016-01-08 at 10:43 -0500, Paul Tagliamonte wrote:
>> I'd like to suggest we move all Vcs-Git entries to either `https` or
> I doubt https will give any real hard additional security, based on the
> inherent problems of the X.509 CA system.
Moving the
On 2016-01-08 16:43, Paul Tagliamonte wrote:
Hey devel,
We still have `git://` all over the place, for instance, on Vcs-Git on
control files. That makes me sad. Boo insecure transports.
`git://` is plaintext, and plaintext transports are bad.
I'd like to suggest we move all Vcs-Git entries to
On Friday, January 08, 2016 10:43:40 AM Paul Tagliamonte wrote:
> Hey devel,
>
> We still have `git://` all over the place, for instance, on Vcs-Git on
> control files. That makes me sad. Boo insecure transports.
>
> `git://` is plaintext, and plaintext transports are bad.
>
> I'd like to sugges
On Fri, 2016-01-08 at 10:43 -0500, Paul Tagliamonte wrote:
> I'd like to suggest we move all Vcs-Git entries to either `https` or
I doubt https will give any real hard additional security, based on the
inherent problems of the X.509 CA system.
Per default, git would take the system CA store, which
Hi,
> http://blog.pault.ag/post/27268910152/usage-of-vcs-git-in-the-debian-archive
>
> Enter github.com/debian
>
> – IMHO, we should consider putting the repos that are already on
> GitHub under Debian namespace, so that the team of maintainers
> may be able to add new collaborators.
I'd like to
On Fri, Jan 08, 2016 at 10:43:40AM -0500, Paul Tagliamonte wrote:
> Hey devel,
>
> We still have `git://` all over the place, for instance, on Vcs-Git on
> control files. That makes me sad. Boo insecure transports.
>
> `git://` is plaintext, and plaintext transports are bad.
>
> I'd like to sugg
Package: lintian
Severity: wishlist
Paul Tagliamonte writes:
> We still have `git://` all over the place, for instance, on Vcs-Git on
> control files. That makes me sad. Boo insecure transports.
>
> `git://` is plaintext, and plaintext transports are bad.
>
> I'd like to suggest we move all Vcs-G
Good point, and I stand corrected. Thanks!
Let's beat GitHub!
Paul
On Fri, Jan 8, 2016 at 10:47 AM, Andrew Shadura wrote:
> On 08/01/16 16:43, Paul Tagliamonte wrote:
> > `git://` provides no upside and really shouldn't exist anymore. GitHub
> > has even turned it off[1]
> >
> > Are we going
> I'd like to suggest we move all Vcs-Git entries to either `https` or
> `ssh`.
>
As mapreri points out - this is for anon clone, so only https - as I
pointed out in a blog post years ago, ssh is a bad idea :)
http://blog.pault.ag/post/27268910152/usage-of-vcs-git-in-the-debian-archive
--
:wq
Hey devel,
We still have `git://` all over the place, for instance, on Vcs-Git on
control files. That makes me sad. Boo insecure transports.
`git://` is plaintext, and plaintext transports are bad.
I'd like to suggest we move all Vcs-Git entries to either `https` or
`ssh`.
Signing tags is a goo
12 matches
Mail list logo
