https access to git repo?
Eric Blake
eblake@redhat.com
Fri Nov 2 13:20:00 GMT 2018
https://cygwin.com/git.html recommends the use of git:// for accessing
the cygwin git repo. However, git:// suffers from man-in-the-middle
attacks, in comparison to https://. On the other hand, performance of
https:// is much worse than git:// UNLESS the git server is running a
new enough version of git, such that it advertises
application/x-git-upload-pack-advertisement support.
Alas, the current sourceware server is running an old version of git:
$ wget -S
'http://sourceware.org/git/newlib-cygwin.git/info/refs?service=git-upload-pack'
2>&1 | grep Content-Type
Content-Type: text/plain; charset=UTF-8
Contrast that with other git repos:
$ wget -S
'https://repo.or.cz/qemu.git/info/refs?service=git-upload-pack' 2>&1 |
grep Content-Type
Content-Type: application/x-git-upload-pack-advertisement
Is there a chance we can get sourceware to upgrade to a newer git
server, and then update our recommendations to point people to https://
clones instead of insecure git://, and without the current speed penalty
that current https:// access through our non-upgraded server provides?
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
More information about the Cygwin-developers
mailing list