On Mon, 2011-06-27 at 10:17 +0200, Marius Mårnes Mathiesen wrote: > On Sun, Jun 26, 2011 at 10:16 AM, martin <[email protected]> wrote: > The https solution is not mature in the same way as the ssh > solution. > SSH has protected Unix/Linux boxes for ages. > > > One might argue that SSH has exposed Unix/Linux boxes to attacks, not > protected them, for ages; just have a quick look at the security logs > on your server, and you'll discover that SSH is the preferred choice > of anyone targeting your server. SSH's will by default offer a > connecting user a shell, the gitorious script bypasses this by > restricting which actions a user can do on the server.
I have in average about 200 logged intrusion attempts on the ssh port per day. I don't allow password authentication... I don't believe that being the primary target for such attempts make ssh any weaker... > > I don't understand why you are concerned about the dedicated > git user > account... just lock it down properly. You have exactly the > same > situation on every ssh server on the planet. > > > As I mentioned above, I suspect most users running their own Gitorious > servers have sshd running as the root user, since otherwise they'd > need a separate IP address/port in order to do maintenance on their > servers. I don't think it's reasonable to assume people looking for a > way to collaborate on code have experience in locking down a SSH > daemon on their server. If people are knowledgeable enough to follow the instructions to install Gitorious, then they should have no problem following a lock-down instruction for ssh! > > > And I also saw concerns about JGit and writing to the repos. I > think all > writing to the repos should be done using code from the git > project. > > > I really don't get this. JGit had a bug, and that bug was resolved. > JGit is used in Eclipse by thousands of developers, and they trust it > to do its job. JGit is also used in Gerrit, which means the Android > repositories would be at stake if JGit didn't work. I don't think > they'd use that if there was a real risk in doing so. Furthermore, > have you looked at the vulnerabilities in Git over the last few years? > You'll find plenty of buffer overflow vulnerabilities, command > injection tricks etc. that don't exist in JGit. I don't by default trust people, software nor politicians. I trust what has been proven to work for others and yes I follow the Git developers discussions. I do see a very serious attitude towards problems, especially if it is about security or keeping the data intact. I have used Eclipse for a while and I'm not impressed. I also read how their project management is trying to use hooks to verify that the committers is on the list of trusted people. This shows clearly that they have yet to understand the concept of distributed work flow. So Eclipse using JGit does not making JGit anymore trustworthy, quite the opposite. Anroid... well Google just skipped the plans for supporting Git (for now) and went for Mercurial instead... Not that I care but the comparisons they published speaks... Don't take me wrong, I like Hg too but if I have to choose... it's Git. So really there are others I trust more. The Gitorious team including you for example. Even if you right now are exercising the thought of skipping ssh, there is absolutely no doubt in my mind that you will come to the conclusion that keeping ssh/git is necessary. You don't know if JGit have buffer overflow vulnerabilities or command injection tricks and whatever things are referred to as "etc"... no one does... the information is simply not there. > > > Would you be as skeptical to for instance the libgit2 project > (http://libgit2.github.com/)? Yes, but I'm skeptical to all projects. Over time, some gain my trust and respect. Libgit2 has an odd extension to GPLv2 that should be read carefully... I strongly believe that the best programmers are searching to contribute directly to the git project as long as the git project is aiming in the right direction. There may be strong programmers in libgit2 as well as JGit and there may be competent management too. I don't know. Time has to show... As far as I'm concerned, right now, I push via ssh, pull via git and I think we all should.go ahead with the https push but let the users decide if they trust it. Let the users enable it per project or per repo. Maybe in a few years, I will use it... Martin > > > Cheers, > - Marius > -- > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] -- To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected]
