[PATCH] Clone anonymously, authenticate for pushing
Mathieu Bridon
bochecha at fedoraproject.org
Wed Jul 23 14:36:13 UTC 2014
On Wed, 2014-07-23 at 10:14 -0400, Ralph Bean wrote:
> On Wed, Jul 23, 2014 at 07:41:19AM -0500, Rex Dieter wrote:
> > On 07/23/2014 07:33 AM, Mathieu Bridon wrote:
> > >This change makes the --anonymous/-a options completely unnecessary:
> > >- clones are now always done anonymously
> > >- pushes now always require authentication
> >
> > Thanks! For me, this would be a very welcome improvement.
>
> Agreed! I've seen new people get bit by it more than once when they
> just want to look around and learn.
We just discussed this in #fedora-releng, and tyll pointed out that
someone could intercept and modify the contents of the repository while
it being cloned, because the git protocol is not encrypted.
As a result, someone could add bad commits on top of the latest HEAD
from Dist Git, I'd get them when cloning, and if I don't pay attention I
could end up pushing them back.
Not sure that's a real threat, but it could mean this patch is not such
a great idea after all. :-/
--
Mathieu
More information about the rel-eng
mailing list