Our gitweb interface currently offers 4 URL schemes, see e.g.: https://gitweb.gentoo.org/repo/gentoo.git git://anongit.gentoo.org/repo/gentoo.git https://anongit.gentoo.org/git/repo/gentoo.git http://anongit.gentoo.org/git/repo/gentoo.git git+ssh://git@git.gentoo.org/repo/gentoo.git Both http:// and git:// are plaintext protocols and thus shouldn't be recommended for security reasons. For this reason the major git providers (Github, Gitlab) don't offer these by default any more (I think they're still enabled for legacy compatibility reasons, but not shown on the webpage). I think we should only display https+ssh-based clone mechanisms. It may also be good to deprecate the insecure variants fully, though depending on how many people clone them that probably should go along with a public announcement and maybe some transition time. (I'm not sure if cloning still works with redirects, i.e. if we redirect all http to https.)
While I agree that we should only expose HTTPS and SSH-based URLs I want to differentiate the following paragraph a little bit: (In reply to Hanno Boeck from comment #0) > Both http:// and git:// are plaintext protocols and thus shouldn't be > recommended for security reasons. For this reason the major git providers > (Github, Gitlab) don't offer these by default any more (I think they're > still enabled for legacy compatibility reasons, but not shown on the > webpage). - anongit host will never allow you to authenticate -- no chance to leak any credentials "by accident" - git has its own internal mechanism to protect integrity. There's no chance for a bad ISP or something like that to interfere request without being noticed by user. Instead, a forum or a wiki which is still sending HTTP links via e-mail is a real threat.
commit b6c3548b4415b29fbfe6b1fd6c64148821f3d253 (HEAD -> production, origin/production) Author: Michał Górny <mgorny@gentoo.org> Date: Mon Oct 22 18:25:41 2018 vcs: Remove git:// and http:// from cgit clone URIs Bug: https://bugs.gentoo.org/669286 Signed-off-by: Michał Górny <mgorny@gentoo.org> They should disappear once the cgitrc update propagates.
gitweb looks good to me.