On Mon, Jun 24, 2013 at 03:35:19PM -0700, Junio C Hamano wrote: > > I don't understand this. How is git:// insecure? > > If your DNS is poisoned, or your router is compromised to allow your > traffic diverted, you may be fetching from somewhere you did not > intend to. As I explained in a separate message, that does not > necessarily result in your repository corrupting, but the result, > even though it may be "git fsck" clean at the bit level, needs > additional validation measure, such as signed tags, to be safely > used to base your further work on top. Thanks for the explanation. Of course you need to verify your latest commit sha1 against a trustworthy source. That would be enough to prevent this scenario, yes? If we add warnings for git:// should we also add warnings for http://? Or do we consider that common knowledge? -- Med vänliga hälsningar Fredrik Gustafsson tel: 0733-608274 e-post: iveqy@xxxxxxxxx -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html