Re: Default branch names in git urls

Khem Raj

On Tue, Nov 2, 2021 at 10:32 AM Richard Purdie
<richard.purdie@...> wrote:

On Tue, 2021-11-02 at 08:16 -0700, Khem Raj wrote:
Can we change bitbake fetcher to default to https instead git
anonymous protocol as fallback? this will be good security measure
Some servers out there (e.g. our own have slightly
different git and https urls so this isn't as simple as you'd think.

The security offered by https isn't as great as it first sounds when you
consider most of our recipes do have the revisions coded into them so whilst you
can break into a protocol stream, you do also have to correctly spoof the
revision too which is much harder. As such, only floating SRCREV recipes are at
risk from the connection encryption in our case.
I understand that, however, the reality is that organizations have IT
teams which are
catering to a wider set of security needs and have been proactively
moving to use
https, in this case, it reduces friction more than anything else.
Regardless of github
switching to https it's also pretty much a given that other
organizations will do so or
are already doing it.

Whether we should switch more of our urls over to https is a different question.
There is an open bug asking for this to happen for all the
urls since https is easier on firewalls but I've never really wanted to do make
the change, believing that people do need to get their network setup correctly
anyway. I did also think that the git protocol could be more efficient in some
cases although how true that is now I'm not sure. github is a little different
in that they don't use the standard git server code so the optimisations there
are different.
added layers by https might slow down sure but by how much ? and then is this
price that is worth paying is the question.



Join { to automatically receive all group messages.