Re: Fetching from the git repositories over https?
Thanks again very much for implementing this! I've encountered no issues when cloning. > Also, I haven't yet updated any documentation to point to this new > mechanism, so that's something that could still be done. Taken as a suggestion and done: https://git.notmuchmail.org/git?p=notmuch-wiki;a=commitdiff;h=6b421471aaad8160981561c705dae1cbaa17702c;hp=591299b2f4b15f6ef7e8c308ead9c3a30b7c7563 I've left the instructions for the wiki, at https://notmuchmail.org/wikiwriteaccess/ unchanged, as I'm not sure whether the push mechanism would work with the https transport and don't want to experiment. Also, MITM attacks aren't much of a worry in this case... Thank you for a very welcoming attitude, Adam ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch
Re: Fetching from the git repositories over https?
> Thanks for doing that! If you need any backup in the discussion, or if > you think that your suggestion is not being taken as seriously as is > warranted, i'd be happy to try to help explain the issues to the MELPA > folks -- contact me directly offlist if you want to coordinate on this. Thanks for the offer! FWIW, I've opened an issue here: https://github.com/melpa/melpa/issues/5294 > I think if you use the github mirror, you might just be pushing off > cleartext fetching to someone else, since that mirror appears to be > synced over http itself :/ I don't actually know who maintains that > mirror, and i don't know how to update where it syncs from... I had been hoping that the mirror was updated by a notmuch contributor who had access to the main repository and could fetch the code over ssh, though in any case this is now irrelevant. > However, Carl Worth (in Cc) just mentioned on IRC that he set up https > for the official notmuch repo! So please use this URL: >https://git.notmuchmail.org/git/notmuch > Thanks Carl! :) That's brilliant. Thanks very much (and thanks Carl)! Adam ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch
Re: Fetching from the git repositories over https?
On Sun, Jan 28 2018, Adam Plaice wrote: > I apologise if I'm asking in the wrong place. Not at all. This is the right place. > Is it possible to clone/fetch from the notmuch git repositories > (particularly https://git.notmuchmail.org/git/notmuch) over https > rather than with the `git://' protocol? (None of the likely > alternatives seem to work.) It wasn't possible when you asked, but I just configured this, and it seems to work. Specifically, I have tested that I can point my browser at: https://git.notmuchmail.org/git/notmuch to see the gitweb view of the git history on the web, and I can also use that same URL for a git clone: git clone https://git.notmuchmail.org/git/notmuch and that works. I also verified that I a "git push" from such a clone results in a 403 error as desired. So give that a try, and anyone, let me know if you see anything that I may have broken or setup incorrectly. Also, I haven't yet updated any documentation to point to this new mechanism, so that's something that could still be done. > Thank you for your time and thank you for notmuch, You're quite welcome. And thank you for your contribution! -Carl ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch
Re: Fetching from the git repositories over https?
On Fri 2018-02-09 06:28:04 +, Adam Plaice wrote: > Thanks very much for the reply. I fully agree that the verifying of > git tags by MELPA would be valuable (and rather important from a > security perspective), and will bring it up. Thanks for doing that! If you need any backup in the discussion, or if you think that your suggestion is not being taken as seriously as is warranted, i'd be happy to try to help explain the issues to the MELPA folks -- contact me directly offlist if you want to coordinate on this. > BTW, is the GitHub mirror https://github.com/notmuch/notmuch/ > mentioned in README.rst, semi-official in the sense of being likely to > be up to date? If, yes, it could be used as a stopgap intermediary > "source" for MELPA, until https transport is possible with the main > notmuch repository or MELPA supports verifying signed git tags. I think if you use the github mirror, you might just be pushing off cleartext fetching to someone else, since that mirror appears to be synced over http itself :/ I don't actually know who maintains that mirror, and i don't know how to update where it syncs from... However, Carl Worth (in Cc) just mentioned on IRC that he set up https for the official notmuch repo! So please use this URL: https://git.notmuchmail.org/git/notmuch Thanks Carl! :) All the best, --dkg signature.asc Description: PGP signature ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch
Re: Fetching from the git repositories over https?
Hi Daniel, Thanks very much for the reply. I fully agree that the verifying of git tags by MELPA would be valuable (and rather important from a security perspective), and will bring it up. BTW, is the GitHub mirror https://github.com/notmuch/notmuch/ mentioned in README.rst, semi-official in the sense of being likely to be up to date? If, yes, it could be used as a stopgap intermediary "source" for MELPA, until https transport is possible with the main notmuch repository or MELPA supports verifying signed git tags. Thanks again, Adam ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch
Re: Fetching from the git repositories over https?
Hi Adam-- On Sun 2018-01-28 17:26:08 +, Adam Plaice wrote: > I apologise if I'm asking in the wrong place. > > Is it possible to clone/fetch from the notmuch git repositories > (particularly https://git.notmuchmail.org/git/notmuch) over https > rather than with the `git://' protocol? (None of the likely > alternatives seem to work.) It's currently not possible to do that, but some maintenance work is underway that might allow us to support it in the future. I agree with you that https:// is probably a better transport than git:// in 2018, regardless of what MELPA thinks :) > Using https would raise the bar, from anybody who can hijack the > connection between MELPA and notmuchmail.org, to those who can compromise > the SSL certificate chain. Whether we use https or not, MELPA should be relying on signed git tags from known release managers of the upstream projects. For notmuch, that would be David Bremner, openpgp key fingerprint 815B63982A79F8E7C72786C4762B57BB784206AD If MELPA is relying only on HTTPS for source integrity, it's vulnerable to any breakage in the HTTPS security model -- from malicious CAs to cryptographic attacks against the TLS layer itself. I agree with you that https:// is preferable to git://, but please encourage MELPA to take the next step and properly verify the retrieved source directly via OpenPGP. Regards, --dkg signature.asc Description: PGP signature ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch
Fetching from the git repositories over https?
I apologise if I'm asking in the wrong place. Is it possible to clone/fetch from the notmuch git repositories (particularly https://git.notmuchmail.org/git/notmuch) over https rather than with the `git://' protocol? (None of the likely alternatives seem to work.) If not, would it be inconvenient for this to be enabled, as an option (if not the recommended one)? Having such an option would be valuable for the purposes of MELPA and MELPA stable (the Emacs package archives which provide an alternative, slightly controversial, way of installing the Notmuch Emacs interface). Since the scripts that build the package archives fetch from upstream sources (such as git://git.notmuchmail.org/git/notmuch) automatically (without human oversight or code inspection) and the `git://' protocol does not provide any authentication, there is currently no guarantee that when the MELPA server tries to connect to notmuchmail.org it's not actually being "Man-in-the-middled" by a malicious third party. As a result, it would be possible for such a third party to introduce some changes to the Elisp code, that would compromise the machines of any users who install the modified package. Using https would raise the bar, from anybody who can hijack the connection between MELPA and notmuchmail.org, to those who can compromise the SSL certificate chain. Thank you for your time and thank you for notmuch, Adam ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch
