Jeff King <peff@xxxxxxxx> writes: > On Tue, Dec 01, 2020 at 10:58:15AM +0100, Ævar Arnfjörð Bjarmason wrote: > >> Change advertised git:// links to https://. These all work as >> arguments to "git clone", but in addition they also have friendly web >> interfaces. > > This is a good idea, I think. Not only for that reason, but because > https:// is more secure. You can verify tags from the maintainer's > signature, of course, but if you are just fetching some refs, you are > relying on the remote server not to lie to you. With https://, you at > least have some assurance that it is the remote server you intended to > talk to, and not a man-in-the-middle over the totally unauthenticated > git:// protocol. > >> This leaves just git://ozlabs.org/~paulus/gitk as the only git:// >> URL. As far as I can tell there's no web interface for it. There is >> e.g. https://git.ozlabs.org/?p=ppp.git which is a frontend for >> git://git.ozlabs.org/~paulus/ppp.git, but even though cloning the repo >> at git://git.ozlabs.org/~paulus/gitk.git works (not the "git" subdomain) > > s/not/note/ in this last line? With or without the tweak, I couldn't figure out what the paragraph wanted to say. On the other hand, I didn't quite get why "friendly web interfaces" matters until trying to read the paragraph again to realize that it was talking about repository browser like gitweb and cgit. I'd probably rephrase the entire proposed commit log message to something like: Most git:// URLs listed for the copies of the Git repository have working corresponding https:// URLs that can be given to a browser to browse the repository interactively. List https:// URL instead of git:// URL for such repositories. The former is also more secure, even though it may be more expensive. without mentioning ozlabs at all. Thanks.
