Date: Tue, 12 Dec 2017 15:19:50 +0000 From: "Poul-Henning Kamp" <phk@phk.freebsd.dk> To: Karl Denninger <karl@denninger.net> Cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <26614.1513091990@critter.freebsd.dk> In-Reply-To: <6fff232c-65c0-34bc-a950-0e79eda025c8@denninger.net> References: <20171205231845.5028d01d@gumby.homeunix.com> <CADWvR2gVn8H5h6LYB5ddwUHYwDtiLCuYndsXhJywi7Q9vNsYvw@mail.gmail.com> <20171210173222.GF5901@funkthat.com> <CADWvR2iGQOtcU=FnU-fNsso2eLCCQn=swnOLoqws%2B33V8VzX1Q@mail.gmail.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <CADWvR2j_LLEPKnSynRRmP4LG3mypdkNitwg%2B7vSh=iuJ=JU09Q@mail.gmail.com> <fd888f6b-bf16-f029-06d3-9a9b754dc676@rawbw.com> <CADWvR2jnxVwXmTA9XpZhGYnCAhFVifqqx2MvYeSeHmYEybaNnA@mail.gmail.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk> <c27552cf-45d8-7686-c60d-256537780edc@denninger.net> <26440.1513088888@critter.freebsd.dk> <6fff232c-65c0-34bc-a950-0e79eda025c8@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-------- In message <6fff232c-65c0-34bc-a950-0e79eda025c8@denninger.net>, Karl Denn= inger writes: >> As I mentioned humoursly to you in private email, I don't think >> this particular problem will reach consensus any sooner if you = >> also tangling it in the SVN vs GIT political issue. > >Fair enough but I think my underlying point -- that svn ought to provide >the ability to distribute signed bits, and if it can't then it should >either be wrapped or augmented to do so if possible, and tossed if not, >remains valid. It sure does, but knowing crypto-code and knowing the projects decision making process about such things, I see neither adding that to svn nor replacing svn as feasible this side of 2020. >Removing unencrypted transport is thus IMO a net bad as it *claims* to >address this but doesn't. That's bad because you now lead people to >*believe* they have a secure means of tracking the project's bits but >that's factually false. +1 -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= .
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?26614.1513091990>