User: Password:
Subscribe / Log in / New account

Security of a git tree

Security of a git tree

Posted Mar 29, 2011 18:34 UTC (Tue) by vapier (subscriber, #15768)
In reply to: Security of a git tree by alex
Parent article: Arch Linux and (the lack of) package signing

signing a SHA1 doesnt increase confidence in SHA1 in any way. it's still a SHA1.

you missed the "resources" aspect. high compression means significantly higher cpu/mem usage which makes scaling up much harder. plus, our mirrors now have to run a git daemon to do mirroring ? it just doesnt work out.

as a developer, you can mirror the VCS tree yourself.

(Log in to post comments)

Security of a git tree

Posted Mar 30, 2011 2:08 UTC (Wed) by smurf (subscriber, #17840) [Link]

You don't need a git server for mirriring a git archive.
That works quite well with http.

Security of a git tree

Posted Apr 3, 2011 2:52 UTC (Sun) by vapier (subscriber, #15768) [Link]

i dont think you've ever used git over http. the performance is downright awful for even small repos.

Security of a git tree

Posted Apr 3, 2011 6:17 UTC (Sun) by smurf (subscriber, #17840) [Link]

I don't think you've heard of "git update-server-info".
It creates a few index files which speed up the job considerably.
(It's typically run from the post-update hook in the shared repository.)

Security of a git tree

Posted Apr 3, 2011 7:37 UTC (Sun) by jrn (subscriber, #64214) [Link]

Presumably he has, since git refuses to fetch over HTTP without it.

Perhaps the servers you've been connecting to use the (relatively) new "smart" HTTP support, which negotiates which objects to send using a CGI script.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds