On Tue, 2021-11-02 at 08:16 -0700, Khem Raj wrote:

Can we change bitbake fetcher to default to https instead git
anonymous protocol as fallback? this will be good security measure
too.

Some servers out there (e.g. our own git.yoctoproject.org) have slightly
different git and https urls so this isn't as simple as you'd think.

The security offered by https isn't as great as it first sounds when you
consider most of our recipes do have the revisions coded into them so whilst you
can break into a protocol stream, you do also have to correctly spoof the
revision too which is much harder. As such, only floating SRCREV recipes are at
risk from the connection encryption in our case.

Whether we should switch more of our urls over to https is a different question.
There is an open bug asking for this to happen for all the git.yoctoproject.org
urls since https is easier on firewalls but I've never really wanted to do make
the change, believing that people do need to get their network setup correctly
anyway. I did also think that the git protocol could be more efficient in some
cases although how true that is now I'm not sure. github is a little different
in that they don't use the standard git server code so the optimisations there
are different.

Cheers,

Richard