Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 669286 - Consider deprecating insecure URLs in gitweb interface
Summary: Consider deprecating insecure URLs in gitweb interface
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Git (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-22 08:54 UTC by Hanno Böck
Modified: 2019-04-15 22:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2018-10-22 08:54:50 UTC 
Our gitweb interface currently offers 4 URL schemes, see e.g.:
https://gitweb.gentoo.org/repo/gentoo.git

git://anongit.gentoo.org/repo/gentoo.git
https://anongit.gentoo.org/git/repo/gentoo.git
http://anongit.gentoo.org/git/repo/gentoo.git
git+ssh://git@git.gentoo.org/repo/gentoo.git

Both http:// and git:// are plaintext protocols and thus shouldn't be recommended for security reasons. For this reason the major git providers (Github, Gitlab) don't offer these by default any more (I think they're still enabled for legacy compatibility reasons, but not shown on the webpage).

I think we should only display https+ssh-based clone mechanisms. It may also be good to deprecate the insecure variants fully, though depending on how many people clone them that probably should go along with a public announcement and maybe some transition time. (I'm not sure if cloning still works with redirects, i.e. if we redirect all http to https.)
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-10-22 11:32:53 UTC 
While I agree that we should only expose HTTPS and SSH-based URLs I want to differentiate the following paragraph a little bit:

(In reply to Hanno Boeck from comment #0)
> Both http:// and git:// are plaintext protocols and thus shouldn't be
> recommended for security reasons. For this reason the major git providers
> (Github, Gitlab) don't offer these by default any more (I think they're
> still enabled for legacy compatibility reasons, but not shown on the
> webpage).

- anongit host will never allow you to authenticate -- no chance to leak any credentials "by accident"

- git has its own internal mechanism to protect integrity. There's no chance for a bad ISP or something like that to interfere request without being noticed by user. 


Instead, a forum or a wiki which is still sending HTTP links via e-mail is a real threat.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-10-22 16:28:05 UTC 
commit b6c3548b4415b29fbfe6b1fd6c64148821f3d253 (HEAD -> production, origin/production)
Author: Michał Górny <mgorny@gentoo.org>
Date:   Mon Oct 22 18:25:41 2018

    vcs: Remove git:// and http:// from cgit clone URIs
    
    Bug: https://bugs.gentoo.org/669286
    Signed-off-by: Michał Górny <mgorny@gentoo.org>


They should disappear once the cgitrc update propagates.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-04-15 22:23:37 UTC 
gitweb looks good to me.