[fdo] Authenticating/verifying freedesktop projects source
Tollef Fog Heen
tfheen at err.no
Sat Mar 5 12:33:44 UTC 2016
]] Marcin Szewczyk
> Unfortunately:
> - nor git commits, nor tags seem to be signed,
This sounds like something that should be fixed, folks should use signed
tags whenever possible.
> - HTTPS-accessible source archives include only those that are
> stable (e.g. https://www.freedesktop.org/software/ModemManager/)
> and there are no SUMS files signed by anybody.
>
> Is it the safest method to git clone from URLs like the following ones?
> - https://anongit.freedesktop.org/git/ModemManager/ModemManager.git
> - https://anongit.freedesktop.org/git/libqmi
Yes, absent signed tags or files.
> Some of freedesktop's cgit pages suggest to use http:// links. Luckily,
> same links work with https://. But contrary to the ModemManager's cgit
> page, the libqmi cgit page doesn't contain the http:// link, only git://
> and ssh:// links. Nevertheless, the https:// link to the libqmi
> repository works.
We should probably make a sweep to get all those cleaned up so they're
on the same level.
> Should I request an SSH account[1] with read-only access to projects I
> want to clone? How do I obtain the host's fingerprint?
No.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
More information about the freedesktop
mailing list