On Sun, Nov 30, 2014 at 06:48:09PM +0100, Sebastian Hahn wrote:
Hi there, git users!
Hi Sebastian!
At the same time, we've discontinued supporting clones via the git:// Protocol.
:(
It is unauthenticated and you probably shouldn't use it if at all possible.
How does that matter? All of the tags are signed by Nick Mathewson. This allows the server *and* the path to be untrusted.
Verifying the code with PGP tags isn't too hard:
# initial clone $ gpg --recv-keys 8D29319A $ git clone git://git.torproject.org/git/tor $ cd tor $ git checkout tor-0.2.4.25 $ git tag -v tor-0.2.4.25 $ ...build...
# subsequent updates $ git remote update origin # I prefer this to pull, ymmv $ git checkout tor-0.2.4.26 $ git tag -v tor-0.2.4.26 $ ...build...
Access via https:// has been provided for years, and should continue to work without any hiccups.
No issue there for folks that prefer the extra layer.
If there are questions or concerns, let's here them.
My problem with cancelling access via git:// is that the alternative (https) trains new users to think they need to trust the server. The fact is they don't. They need to trust the person identifying himself as Nick Mathewson who holds the private key for 8D29319A.
I'd much prefer they be taught not to trust the path *or* the server.
Please consider restoring git:// access.
thx,
Jason.