Hi, Fraser Tweedale wrote: > --- a/Documentation/urls.txt > +++ b/Documentation/urls.txt > @@ -11,6 +11,9 @@ and ftps can be used for fetching and rsync can be used for fetching > and pushing, but these are inefficient and deprecated; do not use > them). > > +The git transport does not do any authentication and should be used > +with caution on unsecured networks. How about the something like the following? I'm starting to think it would make more sense to add a SECURITY section to git-clone(1), though. -- >8 -- Subject: doc: clarify git:// transport security notice The recently added warning about the git protocol's lack of authentication does not make it clear that the protocol lacks both client and server authentication. The lack of non IP-based client auth is obvious (when does user enter her credentials?), while the lack of authentication of the server is less so, so emphasize it. Put the warning in context by making an analogy to HTTP's security properties as compared to HTTPS. Signed-off-by: Jonathan Nieder <jrnieder@xxxxxxxxx> --- Thanks, Jonathan diff --git a/Documentation/urls.txt b/Documentation/urls.txt index 9ccb246..bd0058f 100644 --- a/Documentation/urls.txt +++ b/Documentation/urls.txt @@ -11,8 +11,8 @@ and ftps can be used for fetching and rsync can be used for fetching and pushing, but these are inefficient and deprecated; do not use them). -The native transport (i.e. git:// URL) does no authentication and -should be used with caution on unsecured networks. +Like HTTP, the native protocol (used for git:// URLs) does no server +authentication and should be used with caution on unsecured networks. The following syntaxes may be used with them: -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html