[emirb]

You're right, that line was overstated in the homepage. I guess security model as with any public mirror in FOSS world?

Git hash checks protect object integrity, so GitDelivr can't silently corrupt a packfile without Git noticing, but that still doesn't make it fully trusted.

Yes the code could still lie about refs/HEAD and serve a different but internally valid history, and Git would accept it. The endgame here is if this is something Cloudflare would pick up (or any other big player) to offer it for free, then you'd trust it because it's a big name (and not a new domain bought yesterday after a weekend project heh)

So the accurate security model is a) GitDelivr preserves Git object integrity b) it does not by itself guarantee authenticity of refs in a way you can verify it c) in that sense it's as close to using any other HTTPS Git mirror or CDN?