This is the mail archive of the cygwin-developers mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

https access to git repo?


https://cygwin.com/git.html recommends the use of git:// for accessing the cygwin git repo. However, git:// suffers from man-in-the-middle attacks, in comparison to https://. On the other hand, performance of https:// is much worse than git:// UNLESS the git server is running a new enough version of git, such that it advertises application/x-git-upload-pack-advertisement support.

Alas, the current sourceware server is running an old version of git:

$ wget -S 'http://sourceware.org/git/newlib-cygwin.git/info/refs?service=git-upload-pack' 2>&1 | grep Content-Type
  Content-Type: text/plain; charset=UTF-8

Contrast that with other git repos:

$ wget -S 'https://repo.or.cz/qemu.git/info/refs?service=git-upload-pack' 2>&1 | grep Content-Type
  Content-Type: application/x-git-upload-pack-advertisement

Is there a chance we can get sourceware to upgrade to a newer git server, and then update our recommendations to point people to https:// clones instead of insecure git://, and without the current speed penalty that current https:// access through our non-upgraded server provides?

--
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]