ccontavalli
commented
7 years ago The main reasons for the goo.gl link are that:
1) It is shorter - which is handy if you are copying the url manually for whatever reason (VMs, using smart phone, ...).
2) It gives me statistics - is the link used at all? If I was to split ssh-ident into a set of libraries and scripts, would users suffer? do people really trust installing software which will handle their passphrases and secret keys with a simple wget and no signatures or other authentication mechanisms? etc.
In terms of security, yes, eliminating the shortlink redirection will eliminate one player in the download chain. Right now, though, I don't feel like it would significantly increase security: I should really provide signatures for the full "source" - either host could have been compromised..
It also seems like that only a minority of the users is using the goo.gl link? 135 accesses since 2014, vs 500 stars on github, and 45 forks. Either people are starring the project without using it, or using git clone or downloading directly.
Unfortunately, github does not provide very good stats :(.
Carlo
jdanford
Currently, the URL to the
ssh-identscript provided in the README is goo.gl/MoJuKB. While this is legitimate and simply points to https://raw.githubusercontent.com/ccontavalli/ssh-ident/master/ssh-ident, it goes against my security instincts. Is there a reason not to use the GitHub URL directly?