hanwen
commented
4 years ago I agree with you, and I didn't notice during review. Yes, this should be disabled. Send a change? (see CONTRIBUTING)
Open greenyouse opened 4 years ago
hanwen
commented
4 years ago I agree with you, and I didn't notice during review. Yes, this should be disabled. Send a change? (see CONTRIBUTING)
greenyouse
commented
4 years ago Sure, I can get started on a patch. I haven't worked with go very much but this change sounds straight forward. I'll give it a shot today.
I was working with deploying this against a Bitbucket data center setup but ran into a snag with TLS verification being disabled. This could open up man in the middle attacks for larger organizations. Would it make sense to have this enabled by default since most users would have a server with a valid certificate?
Maybe there could be a flag to disable the TLS authentication so it is still usable without a certificate?
The main downside is that this would be a breaking change if someone depends on that and updates to the latest version of zoekt. To help with the breaking change, the new code could print out an error message to call out the disable TLS flag which the user should pass in their mirror_config.