[tor-dev] Git hosting changes, git:// support discontinued

Jason Cooper tor at lakedaemon.net
Sun Nov 30 22:32:05 UTC 2014

On Sun, Nov 30, 2014 at 06:48:09PM +0100, Sebastian Hahn wrote:
> Hi there, git users!

Hi Sebastian!

> At the same time, we've discontinued supporting clones via the git://
> Protocol.


> It is unauthenticated and you probably shouldn't use it if at all
> possible.

How does that matter?  All of the tags are signed by Nick Mathewson.
This allows the server *and* the path to be untrusted.

Verifying the code with PGP tags isn't too hard:

# initial clone
$ gpg --recv-keys 8D29319A
$ git clone git://git.torproject.org/git/tor
$ cd tor
$ git checkout tor-
$ git tag -v tor-
$ ...build...

# subsequent updates
$ git remote update origin   # I prefer this to pull, ymmv
$ git checkout tor-
$ git tag -v tor-
$ ...build...

> Access via https:// has been provided for years, and should continue
> to work without any hiccups.

No issue there for folks that prefer the extra layer.

> If there are questions or concerns, let's here them.

My problem with cancelling access via git:// is that the alternative
(https) trains new users to think they need to trust the server.  The
fact is they don't.  They need to trust the person identifying himself
as Nick Mathewson who holds the private key for 8D29319A.

I'd much prefer they be taught not to trust the path *or* the server.

Please consider restoring git:// access.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20141130/5eceaef5/attachment.sig>

More information about the tor-dev mailing list