The fact that the git transport does not do any authentication is easily overlooked. For example, DNS poisoning may result in fetching from somewhere that was not intended. Add a brief security notice to the "GIT URLS" section of the documentation stating that the git transport should be used with caution on unsecured networks. Signed-off-by: Fraser Tweedale <frase@xxxxxxxxxxx> --- Documentation/urls.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Documentation/urls.txt b/Documentation/urls.txt index 60ba300..9c8f524 100644 --- a/Documentation/urls.txt +++ b/Documentation/urls.txt @@ -11,6 +11,9 @@ and ftps can be used for fetching and rsync can be used for fetching and pushing, but these are inefficient and deprecated; do not use them). +The git transport does not do any authentication and should be used +with caution on unsecured networks. + The following syntaxes may be used with them: - ssh://{startsb}user@{endsb}host.xz{startsb}:port{endsb}/path/to/repo.git/ -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html