[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-users] SSL cert for git0.savannah.gnu.org: wrong host
|
From: |
Bob Proulx |
|
Subject: |
Re: [Savannah-users] SSL cert for git0.savannah.gnu.org: wrong host |
|
Date: |
Tue, 8 Aug 2017 18:13:58 -0600 |
|
User-agent: |
NeoMutt/20170609 (1.8.3) |
Hi Marcus,
> > Where did you see git0.savannah.gnu.org documented so that this may be
> > corrected?
>
> I got that URL from the gitweb instance [1] that the autoconf savannah
> page [2] points to.
> http://git.savannah.gnu.org/gitweb/?p=autoconf.git
Aha! We look at these pages all of the time and after a while the
details all blur together. That should have been fixed last December!
That was set that way during turn-on of the new server image and
should never have escaped into production.
Thank you for letting us know. I have fixed it now. I also removed
the DNS alias too so that it can't be used moving forward.
> Admittedly, the savannah page itself has a non-TLS variant of the URL:
>
> git clone http://git.sv.gnu.org/r/autoconf.git
Right. You may use either. However the https is recommended. But we
don't prevent people from using the http or git protocols. For some
those are the only ones they can easily get to.
> but: non-TLS http for source code distribution felt like it shouldn't be
> the recommended way, so I payed no further attention to that http://...
> URL, and just clicked through to the webgit to figure out a way of
> cloning that would allow to check authenticity of the remote!
You may use either. And of course people should always check gpg
signatures to verify the validity of downloaded bits regardless of the
protocol.
Bob