From: Jonathan Nieder <jrnieder@gmail.com>
To: Fraser Tweedale <frase@frase.id.au>
Cc: gitster@pobox.com, git@vger.kernel.org
Subject: Re: [PATCH] documentation: add git transport security notice
Date: Sat, 6 Jul 2013 17:50:34 -0700 [thread overview]
Message-ID: <20130707005034.GH30132@google.com> (raw)
In-Reply-To: <1373013686-2137-1-git-send-email-frase@frase.id.au>
Hi,
Fraser Tweedale wrote:
> --- a/Documentation/urls.txt
> +++ b/Documentation/urls.txt
> @@ -11,6 +11,9 @@ and ftps can be used for fetching and rsync can be used for fetching
> and pushing, but these are inefficient and deprecated; do not use
> them).
>
> +The git transport does not do any authentication and should be used
> +with caution on unsecured networks.
How about the something like the following? I'm starting to think it
would make more sense to add a SECURITY section to git-clone(1),
though.
-- >8 --
Subject: doc: clarify git:// transport security notice
The recently added warning about the git protocol's lack of
authentication does not make it clear that the protocol lacks both
client and server authentication. The lack of non IP-based client
auth is obvious (when does user enter her credentials?), while the
lack of authentication of the server is less so, so emphasize it.
Put the warning in context by making an analogy to HTTP's security
properties as compared to HTTPS.
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
---
Thanks,
Jonathan
diff --git a/Documentation/urls.txt b/Documentation/urls.txt
index 9ccb246..bd0058f 100644
--- a/Documentation/urls.txt
+++ b/Documentation/urls.txt
@@ -11,8 +11,8 @@ and ftps can be used for fetching and rsync can be used for fetching
and pushing, but these are inefficient and deprecated; do not use
them).
-The native transport (i.e. git:// URL) does no authentication and
-should be used with caution on unsecured networks.
+Like HTTP, the native protocol (used for git:// URLs) does no server
+authentication and should be used with caution on unsecured networks.
The following syntaxes may be used with them:
next prev parent reply other threads:[~2013-07-07 0:50 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-05 8:41 [PATCH] documentation: add git transport security notice Fraser Tweedale
2013-07-07 0:50 ` Jonathan Nieder [this message]
-- strict thread matches above, loose matches on Subject: below --
2013-06-26 5:53 Fraser Tweedale
2013-06-24 10:23 Fraser Tweedale
2013-06-24 16:24 ` Junio C Hamano
2013-06-24 21:57 ` Fraser Tweedale
2013-06-24 22:27 ` Fredrik Gustafsson
2013-06-24 22:35 ` Junio C Hamano
2013-06-24 22:47 ` Fredrik Gustafsson
2013-06-24 22:28 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130707005034.GH30132@google.com \
--to=jrnieder@gmail.com \
--cc=frase@frase.id.au \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).