Since Monday morning, we've had
https://git.exim.org available.
http://git.exim.org is still available.
Does anyone have strong opinions over whether or not
http://git should
force-redirect to
https://git ?
For FTP site contents, it doesn't make much sense, since
ftp:// remains
available and all retrievable code objects have signatures.
For git ... as far as I know, we don't have cloneable resources
available over http/https, so there's no repo breakage to risk. We also
don't currently have authenticated access and so the risk of private
repo access. So there's nothing too significant to risk.
But on the principle of "encrypted by default", we could do it, and
perhaps set some HTTP security headers.
Any opinions from those involved in dev?
-Phil
