Re: Cannot git-clone pkgsrc: SSL certificate problem: unable to get local issuer certificate

[Greg Troxel <gdt%lexort.com@localhost>]

Ottavio Caruso <ottavio2006-usenet2012%yahoo.com@localhost> writes:

> I'm just curious: in hindsight the git:// protocol is the native one,
> why would github want users to waste unnecessary bandwidth and cpu by
> suggesting to use https:// ? Of course the ssh:// is available, which
> I still have to setup.

It's only unnecessary if there isn't an entity conducting a
man-in-the-middle attack to send you backdoored source code.  git: is
basically like http: (in terms of security), so your question ends up
being "why would people use https: insted of http: to look at websites".

github uses ssh: to authenticate people with github accounts for
read/write access.  https: is more about ensuring that non-registered
users get authentic bits.  Keep in mind that ssh is TOFU (trust on first
use) in practice, so it doesn't necessarily get you the security you
think you may be getting.

Remember that if you don't think they are out to get you, you aren't
paranoid enough.