[PD-dev] moving to git

Jonathan Wilkes jancsika at yahoo.com
Wed Oct 14 22:30:21 CEST 2015


Oh wow, I guess it's been awhile since I've used Sourceforge.  It looks like they just offer svn (which isn't secure) and http by default.  Yikes.
It's 2015.  Users should get an encrypted connection to repos by default, no exceptions.
It's extraordinary to me that you'd let the limitations of StartSSL's free cert dictate the security of your users.  But if that really is the limiting factor, why can't you just wait half a year for EFF's "Let's Encrypt" project to ship?  Then you can get certs for however many subdomains you want, and a whole class of potential attacks on your users will disappear.
In the meantime, please don't teach users that it's ok to ignore basic internet security (plus the big, red browser warnings) just because you don't feel like paying money or asking one of many capable free-software organizations for help.
-Jonathan 


     On Wednesday, October 14, 2015 2:11 PM, IOhannes m zmölnig <zmoelnig at iem.at> wrote:
   

 On 10/14/2015 08:01 PM, Jonathan Wilkes via Pd-dev wrote:
> As strongly and politely as I can advise: PLEASE don't pull until IOhannes implements SSL by default for these repos.

the only problem here is that my certificate is only valid for
apt.puredata.info/puredata.info and *not* for git.puredata.info

if you can live with that, just use

  https://git.puredata.info/cgit/svn2git/

gfmards
IOhannes

_______________________________________________
Pd-dev mailing list
Pd-dev at lists.iem.at
http://lists.puredata.info/listinfo/pd-dev


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.puredata.info/pipermail/pd-dev/attachments/20151014/acd3b284/attachment.html>


More information about the Pd-dev mailing list