[savannah-help-public] [sr #109093] Support and require cloning via https:// instead of git://, http://, svn://, or other insecure transport

[Assaf Gordon]

Update of sr #109093 (project administration):

  Status:None => Done   
 Assigned to:None => agn
 Open/Closed:Open => Closed 

___

Follow-up Comment #7:

Savannah now supports HTTPS access for source-code browsing and anonymous
cloning.

closing this ticket.
 - assaf

___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/

[savannah-help-public] [sr #109093] Support and require cloning via https:// instead of git://, http://, svn://, or other insecure transport

[David A. Wheeler]

Follow-up Comment #6, sr #109093 (project administration):

I also think this has been completed.  At the least, I can now use https: to
access the GNU make git repos, and I could not do that before.  My congrats to
the Savannah admin team!


___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/

[savannah-help-public] [sr #109093] Support and require cloning via https:// instead of git://, http://, svn://, or other insecure transport

[Paul D. Smith]

Follow-up Comment #5, sr #109093 (project administration):

I believe this has been completed, thanks to the excellent (and tireless) work
of Bob Proulx and others on the Savannah and FSF admin teams.  Please
double-check and verify if this can be resolved.

___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/

[savannah-help-public] [sr #109093] Support and require cloning via https:// instead of git://, http://, svn://, or other insecure transport

[anonymous]

Follow-up Comment #4, sr #109093 (project administration):

I might want to add that this is also criteria C6 of the GNU ethical
repository criteria.

https://www.gnu.org/software/repo-criteria.html


It appears that this issue was overlooked in the evaluation of Savannah (given
an A grade)

https://www.gnu.org/software/repo-criteria-evaluation.html



To reiterate, while releases can generally be downloaded over HTTPS and
verified by GNUGPG regardless, the same is not yet true for the developmental
sources. As it stands right now, anyone who wants to download the
developmental sources is vulnerable to spyware, backdoors, etc. being snuck in
while it is in transit by anyone between the person's computer and the GNU
servers (depending where one is in the world, that could go through the
borders of several countries, most of which have governments who would not be
above doing it, though probably only for targetted people).

___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/

[savannah-help-public] [sr #109093] Support and require cloning via https:// instead of git://, http://, svn://, or other insecure transport

[Paul D. Smith]

Follow-up Comment #3, sr #109093 (project administration):

This is something that would be very nice to see available...

___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/

[savannah-help-public] [sr #109093] Support and require cloning via https:// instead of git://, http://, svn://, or other insecure transport

[David A. Wheeler]

Follow-up Comment #2, sr #109093 (project administration):

I agree, supporting HTTPS on the repo is critically important.  This lack
makes it easy for someone to launch a MITM attack on the code supported by
Savannah.

Note that the Linux Foundation's "best practices" badge makes HTTPS a minimum
requirement:
.

What's the blocker?  Is there anything that can be done to help?  Savannah
already has the needed TLS certs, so I imagine that all that's needed is a
minor configuration change.



___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/

[savannah-help-public] [sr #109093] Support and require cloning via https:// instead of git://, http://, svn://, or other insecure transport

[Demi Obenour]

Follow-up Comment #1, sr #109093 (project administration):

(I am the "anonymous" who made the initial report.)

This really should be top priority.  Savannah **already** has the needed TLS
certificates!  This is a security vulnerability that makes Savannah unusable
to many (those who refuse to install software from insecure connections).



___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/

[savannah-help-public] [sr #109093] Support and require cloning via https:// instead of git://, http://, svn://, or other insecure transport

[anonymous]

URL:
  

 Summary: Support and require cloning via https:// instead of
git://, http://, svn://, or other insecure transport
 Project: Savannah Administration
Submitted by: None
Submitted on: Wed 13 Jul 2016 10:25:24 PM UTC
Category: Source code repositories - anonymous access
Priority: 5 - Normal
Severity: 6 - Security
  Status: None
 Assigned to: None
Originator Email: demioben...@gmail.com
Operating System: None
 Open/Closed: Open
 Discussion Lock: Any

___

Details:

Due to man-in-the-middle attacks, the only secure ways to clone a repository
are HTTPS and SSH.  git://, http://, svn://, and others are all insecure.

However, Savannah recommends cloning via the insecure git:// protocol, and
indeed it is not even possible to clone via the secure https:// protocol in
many cases!  This is a security risk (remote execution of arbitrary code) for
anyone who does an anonymous checkout of any project over an insecure means of
transport.

Git (at least) provides a smart HTTP(S) server, which is much faster than the
old "dumb HTTP" transport, and roughly as fast as SSH.  Performance of the
git:// protocal is irrelevant as it is insecure.

The result for me is that I am not able to use the Git master of binutils-gdb
to debug my Rust programs, among other problems.




___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/