Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

[Paul Smith]

On Fri, 2016-10-07 at 22:16 -0400, Mike Gerwitz wrote:
> On Mon, Sep 19, 2016 at 12:30:03 +0200, Hanno Böck wrote:
> > *The code repositories*
> > 
> > Now all of the above can be aleviated a bit if a user carefully uses
> > https all the time manually or uses a plugin like https everywhere. But
> > even more worrying is that there is no way to access the savannah git
> > repositories in a secure way for anonymous users.
> > 
> > If you look at a repository site like this:
> > http://savannah.gnu.org/git/?group=patch
> > 
> > There are two ways to clone the repo: Over the git:// protocol, which
> > is plaintext and insecure, and over ssh, which is only available if you
> > have a savannah account and are a member of that project. Therefore for
> > all people that are not part of a project there is no secure way of
> > getting the git code.

Most replies seem to be concentrating on the Savannah web page, but
personally I think this lack of any ability to retrieve source via a
secure channel, even one wanted to, is a much bigger issue.

Maybe we can concentrate on what it would take to solve this problem
immediately, and leave the less clear-cut issues for later?