Opened 7 years ago

Closed 6 years ago

#7723 closed defect (wontfix)

block access to the git port

Reported by: weasel Owned by:
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

There is probably no reason why anybody on our hosts should clone from git.torproject.org using git://

Maybe we should block that port in our firewalls.

Child Tickets

Change History (12)

comment:1 Changed 7 years ago by karsten

Oh? I do that all the time, and I think we (or just I?) wrote git:// URLs in quite a few HOWTO docs. Closing that port will make a lot of people unhappy. Please only close that port if there are good reasons.

comment:2 Changed 7 years ago by weasel

Running code that you fetched via git:// is not smart. Just use https://. I keep telling people, but they forget. So one option is to just break git:// for everyone on torproject.org hosts.

comment:3 Changed 7 years ago by karsten

I see. If you do this, please announce the change on tor-dev@ a week or so in advance, so that people can change their existing git remotes.

comment:4 Changed 7 years ago by nickm

Here's a one-liner to migrate all of your remotes, assuming that you have a git recent enough to support git remote set-url:

git remote -v |perl -ne 'print "git set-url $1 https://git.torproject.org/$2\n" if (m{(\S+)\tgit://git.torproject.org(\S+)});'

It prints a bunch of git commands which you should inspect for correctness before executing.

comment:5 Changed 7 years ago by karsten

Thanks, that's very useful. Tweaked it a bit here:

git remote -v |perl -ne 'print "git remote set-url $1 https://git.torproject.org$2\n" if (m{(\S+)\tgit://git.torproject.org(\S+)});' | uniq

Works fine on my local box and on lemmonii. However, yatei has difficulties fetching/cloning from https:// URLs:

error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://git.torproject.org/karsten/metrics-web.git/info/refs

comment:6 in reply to:  5 ; Changed 7 years ago by rransom

Replying to karsten:

Works fine on my local box and on lemmonii. However, yatei has difficulties fetching/cloning from https:// URLs:

error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://git.torproject.org/karsten/metrics-web.git/info/refs

Has weasel installed ca-certificates (or just the needed certificate) on yatei yet?

comment:7 Changed 7 years ago by rransom

gitweb.tpo still lists the git: URL first.

comment:8 in reply to:  7 Changed 7 years ago by Sebastian

Replying to rransom:

gitweb.tpo still lists the git: URL first.

changed

comment:9 in reply to:  6 Changed 7 years ago by karsten

Replying to rransom:

Replying to karsten:

Works fine on my local box and on lemmonii. However, yatei has difficulties fetching/cloning from https:// URLs:

error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://git.torproject.org/karsten/metrics-web.git/info/refs

Has weasel installed ca-certificates (or just the needed certificate) on yatei yet?

$ dpkg -l | grep cert
ii  ca-certificates                     20090814+nmu3squeeze1        Common CA certificates
[...]

weasel, can you take a look, please?

comment:10 Changed 7 years ago by karsten

bump

comment:11 Changed 7 years ago by karsten

weasel just solved the problem on yatei (thanks!). That leaves us with:

  • announce on tor-dev@ that git:// URLs won't work anymore very soon,
  • block that port in the firewall.

comment:12 Changed 6 years ago by weasel

Resolution: wontfix
Status: newclosed

While I still think that people should use https:// if possible, maybe blocking the git protocol isn't the right approach after all.

It's a shame the git client is so horrible when it doesn't trust the https cert.

Note: See TracTickets for help on using tickets.