Re: [fossil-users] Unnable to merge: Cannot find a common ancestor between the current checkout and ID
On 6/4/18, Richie Adler wrote: > Richard, > > I'm having now the same problem in my repository at > https://chiselapp.com/user/richieadler/repository/axxoneval/ > > I'm trying to merge the branch "mejorasilus" into trunk. I just encountered this problem on the SQLite repository, which enabled me to locate and fix a bug that I introduced 5 days ago when I fixed Offray's original problem. Please recompile from trunk and let me know if you encounter any new troubles. -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Show time...
On Tue, Jun 5, 2018, 23:19 Stéphane Aulery wrote: > > Barely one day and I have already received this link [1] by Hacker News > RSS feed. > > Maybe you can make your advocacy here. > > [1] https://tutswiki.com/github-alternatives/ Which reminds me: i saw an ad on SourceForge (remember them? The first platform of its kind?) offering git sync from github. - stephan Sent from a mobile device, possibly left-handed from bed. Please excuse brevity, typos, and top-posting. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Show time...
Hello, Le 05/06/2018 à 04:37, Roy Keene a écrit : Other things we do at ChiselApp: On Mon, 4 Jun 2018, Eduard wrote: I was planning on making a more official announcement, but here goes. I'm the developer of Hydra, a single-sign-on and manager for fossil repositories. https://hydra.ecd.space/f/hydra/wiki/hydra I think this is relevant as people may be looking to GitHub alternatives for multiproject hosting. Barely one day and I have already received this link [1] by Hacker News RSS feed. Maybe you can make your advocacy here. [1] https://tutswiki.com/github-alternatives/ Regards, -- Stéphane Aulery ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Repository reports as JSON
On Tue, Jun 5, 2018, 19:03 Offray Vladimir Luna Cárdenas wrote: > Hi, > > I would like to have access to the activity reports information in JSON > format. I know that the json interface is enabled and that is mostly > used by preceding the usual url by the "json/" command (see for example > [1]), but for some reason I can not get any output for several commands > like json/timeline or json/reports in my Fossil repositories. What I'm > missing? Is reports activity available as JSON data? > > [1] http://mutabit.com/repos.fossil/dataweek/json/dir?ci=tip The timeline requires that you tell it which timeline you want, e.g.: http://mutabit.com/repos.fossil/dataweek/json/timeline/checkin For the full json API docs, see: https://docs.google.com/document/d/1fXViveNhDbiXgCuE7QDXQOKeFzf2qNUkBEgiUvoqFN4/edit?usp=drivesdk The reports are not currently available in json. That would not be difficult to implement but i am still on years-long medical leave for severe chronic RSI (from too much programming/documenting) and can't implement it myself :(. - stephan Sent from a mobile device, possibly left-handed from bed. Please excuse brevity, typos, and top-posting. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] Repository reports as JSON
Hi, I would like to have access to the activity reports information in JSON format. I know that the json interface is enabled and that is mostly used by preceding the usual url by the "json/" command (see for example [1]), but for some reason I can not get any output for several commands like json/timeline or json/reports in my Fossil repositories. What I'm missing? Is reports activity available as JSON data? [1] http://mutabit.com/repos.fossil/dataweek/json/dir?ci=tip Thanks, Offray ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Show time...
The other thing to keep in mind is that I want Fossil reposistories from the same user to be able to access the user's other repositories, since they could be part of a login group. On Tue, 5 Jun 2018, Eduard wrote: 1. Enable Safe interpreters for Tcl How did you do that? The flint repository doesn't seem to include the fossil build script. 2. Enforce that the SSH program cannot be run (by patching popen2() to return an error) Are you not using chroot to protect repositories from each other? 3. (Not complete, but started) run each instance of Fossil as a different UID based on their Flint UID+131072 That's actually the next thing on my TODO list -- I think it's a good idea! 1. Need to add the domain to the Public Suffix List (otherwise, you haven't mitigated the issue completely) I think the only security issue left vis-a-vis untrusted subdomains is that a malicious repository can insert thousands of junk cookies, displacing the login cookie on the secure subdomain and thus logging the user out. I think it's a mild annoyance at most. Feel free to contradict me on this. 2. Getting a wildcard cert I also put it off for the longest time. It turned out to be surprisingly easy to do, and in fact less annoying than http validation. Cheers, Eduard On 06/04/2018 10:37 PM, Roy Keene wrote: Other things we do at ChiselApp: 1. Enable Safe interpreters for Tcl 2. Enforce that the SSH program cannot be run (by patching popen2() to return an error) 3. (Not complete, but started) run each instance of Fossil as a different UID based on their Flint UID+131072 I thought about putting each repo under their own domain, but doing so requires a bit more work: 1. Need to add the domain to the Public Suffix List (otherwise, you haven't mitigated the issue completely) 2. Getting a wildcard cert On Mon, 4 Jun 2018, Eduard wrote: I was planning on making a more official announcement, but here goes. I'm the developer of Hydra, a single-sign-on and manager for fossil repositories. https://hydra.ecd.space/f/hydra/wiki/hydra I think this is relevant as people may be looking to GitHub alternatives for multiproject hosting. I've recently fixed the XSS/CSRF vulnerabilities inherent to hosting multiple repositories on the same domain (which also affect chiselapp), when setup privilege is given to malicious users (for the repositories they create) and they convince other people to visit their malicious repository while logged in. I've done this by using a separate subdomain for each repository, and by patching Fossil itself to receive the CSRF token from Hydra. More details here: https://static.ecd.space/x/hydra/doc/build/html/subdomains.html I've also done some security hardening by dropping each repository in a separate chroot (to contain damage from a potential arbitrary code execution vulnerability in fossil itself). (Sorry drh, I accidentally replied only to you instead of the mailing list.) On 06/03/2018 09:28 PM, Richard Hipp wrote: There is suddenly a big uptick in traffic to fossil-scm.org, apparently due to the recent GitHub rumor. Unlike that traditional "slashdot effect", though, the referrals seem to be coming for a large variety of sources. So, if anybody sees any last minute tidying up that we need to do to the website in anticipation of a huge influx of first-time visitors, please speak up. Quickly. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Show time...
The patch #1 is not a part of Flint, just ChiselApp -- Flint users supply their own Fossil with their specific requirements, which may not include safe Tcl. Attached are the two patches in question. On Tue, 5 Jun 2018, Eduard wrote: 1. Enable Safe interpreters for Tcl How did you do that? The flint repository doesn't seem to include the fossil build script. 2. Enforce that the SSH program cannot be run (by patching popen2() to return an error) Are you not using chroot to protect repositories from each other? 3. (Not complete, but started) run each instance of Fossil as a different UID based on their Flint UID+131072 That's actually the next thing on my TODO list -- I think it's a good idea! 1. Need to add the domain to the Public Suffix List (otherwise, you haven't mitigated the issue completely) I think the only security issue left vis-a-vis untrusted subdomains is that a malicious repository can insert thousands of junk cookies, displacing the login cookie on the secure subdomain and thus logging the user out. I think it's a mild annoyance at most. Feel free to contradict me on this. 2. Getting a wildcard cert I also put it off for the longest time. It turned out to be surprisingly easy to do, and in fact less annoying than http validation. Cheers, Eduard On 06/04/2018 10:37 PM, Roy Keene wrote: Other things we do at ChiselApp: 1. Enable Safe interpreters for Tcl 2. Enforce that the SSH program cannot be run (by patching popen2() to return an error) 3. (Not complete, but started) run each instance of Fossil as a different UID based on their Flint UID+131072 I thought about putting each repo under their own domain, but doing so requires a bit more work: 1. Need to add the domain to the Public Suffix List (otherwise, you haven't mitigated the issue completely) 2. Getting a wildcard cert On Mon, 4 Jun 2018, Eduard wrote: I was planning on making a more official announcement, but here goes. I'm the developer of Hydra, a single-sign-on and manager for fossil repositories. https://hydra.ecd.space/f/hydra/wiki/hydra I think this is relevant as people may be looking to GitHub alternatives for multiproject hosting. I've recently fixed the XSS/CSRF vulnerabilities inherent to hosting multiple repositories on the same domain (which also affect chiselapp), when setup privilege is given to malicious users (for the repositories they create) and they convince other people to visit their malicious repository while logged in. I've done this by using a separate subdomain for each repository, and by patching Fossil itself to receive the CSRF token from Hydra. More details here: https://static.ecd.space/x/hydra/doc/build/html/subdomains.html I've also done some security hardening by dropping each repository in a separate chroot (to contain damage from a potential arbitrary code execution vulnerability in fossil itself). (Sorry drh, I accidentally replied only to you instead of the mailing list.) On 06/03/2018 09:28 PM, Richard Hipp wrote: There is suddenly a big uptick in traffic to fossil-scm.org, apparently due to the recent GitHub rumor. Unlike that traditional "slashdot effect", though, the referrals seem to be coming for a large variety of sources. So, if anybody sees any last minute tidying up that we need to do to the website in anticipation of a huge influx of first-time visitors, please speak up. Quickly. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users diff -uNr fossil-2.1.orig/src/th_tcl.c fossil-2.1-safeinterp/src/th_tcl.c --- fossil-2.1.orig/src/th_tcl.c2017-03-10 11:07:08.0 -0600 +++ fossil-2.1-safeinterp/src/th_tcl.c 2017-03-16 10:34:59.922893000 -0500 @@ -148,6 +148,9 @@ # ifndef TCL_CREATEINTERP_NAME #define TCL_CREATEINTERP_NAME "_Tcl_CreateInterp\0" # endif +# ifndef TCL_MAKESAFE_NAME +#define TCL_MAKESAFE_NAME "_Tcl_MakeSafe\0" +# endif # ifndef TCL_DELETEINTERP_NAME #define TCL_DELETEINTERP_NAME "_Tcl_DeleteInterp\0" # endif @@ -180,6 +183,7 @@ */ typedef void (tcl_FindExecutableProc) (const char *); typedef Tcl_Interp *(tcl_CreateInterpProc) (void); +typedef int (tcl_MakeSafeProc) (Tcl_Interp *interp); typedef void (tcl_DeleteInterpProc) (Tcl_Interp *); typedef void (tcl_FinalizeProc) (void); @@ -405,6 +409,7 @@ void *hLibrary; /* The Tcl library module handle. */ tcl_FindExecutableProc *xFindExecutable; /* Tcl_FindExecutable() pointer. */
