From mboxrd@z Thu Jan 1 00:00:00 1970 From: webmaster at eclipse.org (Eclipse Webmaster (Denis Roy)) Date: Mon, 22 Feb 2016 14:57:07 -0500 Subject: Killing plaintext git:// in favor of https:// cloning In-Reply-To: <20160222195042.99D6C82323@gnosis.slac.com> References: <20160222195042.99D6C82323@gnosis.slac.com> Message-ID: <56CB6813.1070108@eclipse.org> On 22/02/16 02:50 PM, Joe Anakata wrote: >> Yes, why? >> What's the point? >> >> The repos are public, so cloning them over https bring nothing, except >> extra overhead and server load. > While pretty unlikely, in theory someone could MITM a git:// clone and > send the user a hax0red branch of cgit with integrated botnet which > the user then compiles and installs on their server. > Everything is possible "in theory" ... But folks really need to stop thinking that https is the impenetrable solution to everything.