Hi,
Clone URL specified in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libassuan.git;a=summary for protocol https:// returns 404:
$ git clone https://git.gnupg.org/libassuan.git Cloning into 'libassuan'... fatal: repository 'https://git.gnupg.org/libassuan.git/' not found
URL with protocol git:// work as expected, however git:// being vulnerable to MITM, providing valid https:// URL would be beneficial to prevent tampering
Thanks,
Bertrand
$ git tag -v libassuan-2.5.6 object 6b50ee6bcdd6aa81bd7cc3fb2379864c3ed479b8 type commit tag libassuan-2.5.6 tagger Werner Koch <wk@gnupg.org> 1687164166 +0200 small bug fixes for 2.5 gpg: Signature made Mo 19 Jun 2023 10:42:46 CEST gpg: using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA gpg: Good signature from "Werner Koch (dist signing 2020)" [undefined]
Thanks Ingo.
To further explain this: What you get with https is some kind of low end authentication using the the public TLS PKI. And that is all what you get. With signed commits you get what the developers actually wrote and have in the working copies. For the GnuPG core developer's we are even using tokens with a signature counter to reduce the risk of malware triggred signatures.
If for other reasons https: is required, please use the git repo at dev.gnupg.org.
I'm re-opening this as I don't believe we went through full extent here.
GnuPG gitweb (as in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libassuan.git;a=summary) describe https:// as a usable protocol to clone the repository, but as you pointed out, they are currently set up. Would it make sense to just remove https:// clone URL from gitweb to remove confusion from users ?
Cheers,
Bertrand
We migrated to another box and it might be the case that we planned to also support https. I need to see whetehr I can find notes in the etckeeper.