When you clone the repository without previous commit history, 'git://'
doesn't protect from man-in-the-middle attacks.  HTTPS is more secure
since the client verifies the server certificate.

Reported-by: Jann Horn <jannh@google.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 scripts/get_maintainer.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/get_maintainer.pl b/scripts/get_maintainer.pl
index 43fb5f512f..fc7275b9e2 100755
--- a/scripts/get_maintainer.pl
+++ b/scripts/get_maintainer.pl
@@ -1376,7 +1376,7 @@ sub vcs_exists {
 	warn("$P: No supported VCS found.  Add --nogit to options?\n");
 	warn("Using a git repository produces better results.\n");
 	warn("Try latest git repository using:\n");
-	warn("git clone git://git.qemu.org/qemu.git\n");
+	warn("git clone https//git.qemu.org/git/qemu.git\n");
 	$printed_novcs = 1;
     }
     return 0;
-- 
2.17.2

Hi Stefan,

On 4/11/18 12:24, Stefan Hajnoczi wrote:
> When you clone the repository without previous commit history, 'git://'
> doesn't protect from man-in-the-middle attacks.  HTTPS is more secure
> since the client verifies the server certificate.
> 
> Reported-by: Jann Horn <jannh@google.com>
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> ---
>   scripts/get_maintainer.pl | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/scripts/get_maintainer.pl b/scripts/get_maintainer.pl
> index 43fb5f512f..fc7275b9e2 100755
> --- a/scripts/get_maintainer.pl
> +++ b/scripts/get_maintainer.pl
> @@ -1376,7 +1376,7 @@ sub vcs_exists {
>   	warn("$P: No supported VCS found.  Add --nogit to options?\n");
>   	warn("Using a git repository produces better results.\n");
>   	warn("Try latest git repository using:\n");
> -	warn("git clone git://git.qemu.org/qemu.git\n");
> +	warn("git clone https//git.qemu.org/git/qemu.git\n");

You missed the ':' in the scheme. Once fixed:
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>

>   	$printed_novcs = 1;
>       }
>       return 0;
> 

On Sun, Nov 04, 2018 at 11:37:21PM +0100, Philippe Mathieu-Daudé wrote:
> Hi Stefan,
> 
> On 4/11/18 12:24, Stefan Hajnoczi wrote:
> > When you clone the repository without previous commit history, 'git://'
> > doesn't protect from man-in-the-middle attacks.  HTTPS is more secure
> > since the client verifies the server certificate.
> > 
> > Reported-by: Jann Horn <jannh@google.com>
> > Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> > ---
> >   scripts/get_maintainer.pl | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/scripts/get_maintainer.pl b/scripts/get_maintainer.pl
> > index 43fb5f512f..fc7275b9e2 100755
> > --- a/scripts/get_maintainer.pl
> > +++ b/scripts/get_maintainer.pl
> > @@ -1376,7 +1376,7 @@ sub vcs_exists {
> >   	warn("$P: No supported VCS found.  Add --nogit to options?\n");
> >   	warn("Using a git repository produces better results.\n");
> >   	warn("Try latest git repository using:\n");
> > -	warn("git clone git://git.qemu.org/qemu.git\n");
> > +	warn("git clone https//git.qemu.org/git/qemu.git\n");
> 
> You missed the ':' in the scheme. Once fixed:

Gah!  Thank you!

> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> 
> >   	$printed_novcs = 1;
> >       }
> >       return 0;
> >