This is the mail archive of the
cygwin-developers
mailing list for the Cygwin project.
Re: https access to git repo?
On 11/2/2018 9:20 AM, Eric Blake wrote:
> https://cygwin.com/git.html recommends the use of git:// for accessing
> the cygwin git repo. However, git:// suffers from man-in-the-middle
> attacks, in comparison to https://. ; On the other hand, performance of
> https:// is much worse than git:// UNLESS the git server is running a
> new enough version of git, such that it advertises
> application/x-git-upload-pack-advertisement support.
>
> Alas, the current sourceware server is running an old version of git:
>
> $ wget -S
> 'http://sourceware.org/git/newlib-cygwin.git/info/refs?service=git-upload-pack'
> 2>&1 | grep Content-Type
> Content-Type: text/plain; charset=UTF-8
>
> Contrast that with other git repos:
>
> $ wget -S
> 'https://repo.or.cz/qemu.git/info/refs?service=git-upload-pack' 2>&1 |
> grep Content-Type
> Content-Type: application/x-git-upload-pack-advertisement
>
> Is there a chance we can get sourceware to upgrade to a newer git
> server, and then update our recommendations to point people to https://
> clones instead of insecure git://, and without the current speed penalty
> that current https:// access through our non-upgraded server provides?
You'll need to ask overseerers@sourceware.org. They may have it on
there radar already but it doesn't hurt to ask.
--
cyg Simple