Re: [aur-general] Git over HTTPS
Since he's doing it as part of his job, supposedly, then I really can't see any reason at all that they wouldn't open up port 22 to just to luna for him. Yea, who knows. Like I said earlier, I do feel for the guy.
Re: [aur-general] Git over HTTPS
On 20/06, Johannes Löthberg wrote: I'm rather sure that he never actually said that maintaining the AUR package was part of his job, just avoided the question by saying that he worked on the software. (Though I'm too lazy to check now.) Ah, seems I misread him, quoting cag22hqdefjnt9un6r8ai1iafzsbuqppginszfrj-tfrwjn2...@mail.gmail.com: 2. I currently maintain the ownCloud-beta-client package as part of my involvement with that group. This is done as part of my official duties in my corporate environment. -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/ signature.asc Description: PGP signature
Re: [aur-general] Git over HTTPS
On Sat, Jun 20, 2015 at 09:12:06AM +0300, Mihamina Rakotomandimby wrote: On 06/16/2015 09:24 AM, Alan Jenkins wrote: I understand why they block port 22 out bound and know it to be a common problem. It is blocked to stop employees accidentally or intentionally leaking important customer or business data. You can also use SSH to bypass security measures in place within the network and even create tunnels back into the network. Seriously I believe that [...] [...] I seriously dont believe that in 2015 security is port based... Oh, you clearly have no clue about the extent of the madness of it all :) /M -- Magnus Therning OpenPGP: 0xAB4DFBA4 email: mag...@therning.org jabber: mag...@therning.org twitter: magthe http://therning.org/magnus The definition of insanity is doing the same thing over and over again and expecting different results. -- Albert Einstein signature.asc Description: PGP signature
Re: [aur-general] Git over HTTPS
On 18/06, David Kaylor wrote: 1. Yes, I do have network access outside of my corporate environment. However, much (READ: all) of the project maintenance and code lives on and is performed on my corporate servers. 2. I currently maintain the ownCloud-beta-client package as part of my involvement with that group. This is done as part of my official duties in my corporate environment. My organization is also looking to begin sharing several large projects within a few months. Without another form of access, this would be technically impossible. -- Thomas Swartz I had been wondering if you were working on some packages in a work capacity. Given that, I think it would be a shame to lock out this type of contributor, even though there are probably just a few. Since he's doing it as part of his job, supposedly, then I really can't see any reason at all that they wouldn't open up port 22 to just to luna for him. -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/ signature.asc Description: PGP signature
Re: [aur-general] Git over HTTPS
On 20/06, David Kaylor wrote: Do you have permission from your employer to user their infrastructure (eg: computers, network) to work on contributions to ArchLinux? If not, they *may* own the IP related to the PKGBUILDs, or any extra scripts you include (in most jurisdictions, if you write a 15 line script, it's copyrighted automatically). I suggest that you carefully study this, and similar scenarios. So, if you have permission, asking for them to open SSH should be trivial. If not, then stop creating tainted contributions at work. If you had bothered to read the entire thread, you should have noticed that the OP has already answered this question. I'm rather sure that he never actually said that maintaining the AUR package was part of his job, just avoided the question by saying that he worked on the software. (Though I'm too lazy to check now.) -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/ signature.asc Description: PGP signature
Re: [aur-general] Git over HTTPS
I'm rather sure that he never actually said that maintaining the AUR package was part of his job, just avoided the question by saying that he worked on the software. (Though I'm too lazy to check now.) I just double checked, and this is what he wrote: 2. I currently maintain the ownCloud-beta-client package as part of my involvement with that group. This is done as part of my official duties in my corporate environment. My organization is also looking to begin sharing several large projects within a few months. Without another form of access, this would be technically impossible. Which sounds to me like he was saying it is part of his job, or at least he has explicit approval to work on it. Why can't he get outbound SSH access to do this, if it is work related? Who knows. But I sort of sympathize with him. Not blaming the AUR4 developer, he has good reasons for the new design, as far as I know. I do wish people would stop focusing on the OP's corporate network policies, stupid as they may be, because it's just not relevant at this point. I, for one, hope he can continue to contribute.
Re: [aur-general] Git over HTTPS
On 06/16/2015 09:24 AM, Alan Jenkins wrote: I understand why they block port 22 out bound and know it to be a common problem. It is blocked to stop employees accidentally or intentionally leaking important customer or business data. You can also use SSH to bypass security measures in place within the network and even create tunnels back into the network. Seriously I believe that [...] [...] I seriously dont believe that in 2015 security is port based...
Re: [aur-general] Git over HTTPS
Do you have permission from your employer to user their infrastructure (eg: computers, network) to work on contributions to ArchLinux? If not, they *may* own the IP related to the PKGBUILDs, or any extra scripts you include (in most jurisdictions, if you write a 15 line script, it's copyrighted automatically). I suggest that you carefully study this, and similar scenarios. So, if you have permission, asking for them to open SSH should be trivial. If not, then stop creating tainted contributions at work. If you had bothered to read the entire thread, you should have noticed that the OP has already answered this question.
Re: [aur-general] Git over HTTPS
On 2015-06-15 11:57, Tom Swartz wrote: Hi all, The majority of my work happens behind corporate firewalls where ssh out via port 22 is not an option. Is there a way to configure GitHub-like SSH via HTTPS ports? https://help.github.com/articles/using-ssh-over-the-https-port/ I'd be greatly appreciative if this was the case. Thanks! -- Tom Swartz Do you have permission from your employer to user their infrastructure (eg: computers, network) to work on contributions to ArchLinux? If not, they *may* own the IP related to the PKGBUILDs, or any extra scripts you include (in most jurisdictions, if you write a 15 line script, it's copyrighted automatically). I suggest that you carefully study this, and similar scenarios. So, if you have permission, asking for them to open SSH should be trivial. If not, then stop creating tainted contributions at work. Cheers, -- Hugo Osvaldo Barrera A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? signature.asc Description: PGP signature
Re: [aur-general] Git over HTTPS
On 17-06-15 14:17, Tom Swartz wrote: Asking for a response from the OP: Do you not have other network access available to maintain your AUR packages? More to the point, are you maintaining packages on AUR as part of your official responsibilities? Or just in spare time? Leaving aside, for the moment, all other arguments regarding blocking outbound SSH, I believe these are fundamental questions. To answer your questions: 1. Yes, I do have network access outside of my corporate environment. However, much (READ: all) of the project maintenance and code lives on and is performed on my corporate servers. 2. I currently maintain the ownCloud-beta-client package as part of my involvement with that group. This is done as part of my official duties in my corporate environment. My organization is also looking to begin sharing several large projects within a few months. Without another form of access, this would be technically impossible. Tom, sofar many people have responded, but 1 name is missing : Lukas Fleischer, our valued aur web maintainer. I suggest you create a feature request for AUR git over https support at https://bugs.archlinux.org/index.php?project=2 . LVV
Re: [aur-general] Git over HTTPS
Em 17-06-2015 15:51, LoneVVolf escreveu: sofar many people have responded, but 1 name is missing : Lukas Fleischer, our valued aur web maintainer. I suggest you create a feature request for AUR git over https support at https://bugs.archlinux.org/index.php?project=2 . There is already support for Git over https. It's read only though. The OP wants SSH git access on port 443. Which is something different. I believe that something along the lines of github with oAuth tokens should be better than having SSH operating on port 443. That way those who can't access regular SSH can still contribute to AUR. Cheers, Giancarlo Razzolini
Re: [aur-general] Git over HTTPS
I'm not requiring that others solve my problem, Giancarlo. As mentioned, this is an impossibility in our organization, and (I'm sure) many others. ...or even hotels. Damian.
Re: [aur-general] Git over HTTPS
Em 17-06-2015 22:24, Damian Nowak escreveu: ...or even hotels. Ok. I can provide nginx, openssh and sshlp configuration to the AUR maintainers if that's what you guys want. I bet that they already know how to implement this anyway. But I still believe it's a dumb idea. Much better to implement proper git https write access. I'll take a look at AUR code and see if it's difficult to implement it. If it's not, I might write a patch. But the fact that Lukas didn't weighed in on this thread yet, is not a good sign to you guys. P.s.: If you guys use hotel wifi without a VPN... well... not that much I can say at this point, just wish good luck. Cheers, Giancarlo Razzolini
Re: [aur-general] Git over HTTPS
Asking for a response from the OP: Do you not have other network access available to maintain your AUR packages? More to the point, are you maintaining packages on AUR as part of your official responsibilities? Or just in spare time? Leaving aside, for the moment, all other arguments regarding blocking outbound SSH, I believe these are fundamental questions. To answer your questions: 1. Yes, I do have network access outside of my corporate environment. However, much (READ: all) of the project maintenance and code lives on and is performed on my corporate servers. 2. I currently maintain the ownCloud-beta-client package as part of my involvement with that group. This is done as part of my official duties in my corporate environment. My organization is also looking to begin sharing several large projects within a few months. Without another form of access, this would be technically impossible. -- Thomas Swartz
Re: [aur-general] Git over HTTPS
Giancarlo, This is stupid, as I already pointed. The amount of neckbearding arguments you have posted here are not productive. Despite how 'stupid' the decisions are, either in your opinion or in fact, repeatedly pointing it out has no bearing on the fact that it exists. I'm complaining with the OP requests and demands that AUR devs do something because he needs it. I have not once demanded that AUR Devs do anything. I have suggested twice so far that some productive discussion is done as to the ability to open SSH over HTTPS. SSH via HTTPS is, as many have pointed out, a common and reasonable solution for environments where all outbound ports are blocked except for 80, 443 and a minor select others. Again, you can always use another network for doing all this. A more open one. As mentioned numerous times before, this is not feasible. I would appreciate if you could keep the comments and discussion on-task. -- Thomas Swartz
Re: [aur-general] Git over HTTPS
On Wed, Jun 17, 2015 at 2:17 PM, Tom Swartz t...@tswartz.net wrote: To answer your questions: 1. Yes, I do have network access outside of my corporate environment. However, much (READ: all) of the project maintenance and code lives on and is performed on my corporate servers. 2. I currently maintain the ownCloud-beta-client package as part of my involvement with that group. This is done as part of my official duties in my corporate environment. Aren't you moving what essentially would be your problem outside your firewall, too? cheers! mar77i
Re: [aur-general] Git over HTTPS
On 06/16/2015 08:24 AM, Alan Jenkins wrote: I am with the OP on this, having worked in a cloud security company I understand why they block port 22 out bound and know it to be a common problem. It is blocked to stop employees accidentally or intentionally leaking important customer or business data. You can also use SSH to bypass security measures in place within the network and even create tunnels back into the network. You can do this via HTTPS, too. -- Bad argument. Manuel
Re: [aur-general] Git over HTTPS
Actually they very often strip https traffic too. I used to work for Symantec.cloud and we did both http and https scanning so don't try to say that it is not a valid argument as I assure you you can scan and do content filtering on https. On 16 June 2015 at 14:35, Manuel Reimer manuel.rei...@gmx.de wrote: On 06/16/2015 08:24 AM, Alan Jenkins wrote: I am with the OP on this, having worked in a cloud security company I understand why they block port 22 out bound and know it to be a common problem. It is blocked to stop employees accidentally or intentionally leaking important customer or business data. You can also use SSH to bypass security measures in place within the network and even create tunnels back into the network. You can do this via HTTPS, too. -- Bad argument. Manuel
Re: [aur-general] Git over HTTPS
Em 16-06-2015 14:20, Alan Jenkins escreveu: Also may I remind you that the focus of this conversation is allowing users in corporate environments access to be able to contribute to the AUR. These environments block SSH for multiple reasons but are able to allow HTTPS as they are able to more tightly regulate it. There are literally tons of ways to tunnel out of a network. SSH is just one of them. Instead of blocking anything, network admins should monitor the traffic using netflow, and set alarms when too much data is leaving the network. That would prevent a lot of data breaches. Or at least minimize their impact. Expecting to block something to avoid information breach, or any other kind of data theft is dumb. Also, come on people. It's 2015. Doesn't everybody also have a machine at home? Cheers, Giancarlo Razzolini
Re: [aur-general] Git over HTTPS
Asking for a response from the OP: Do you not have other network access available to maintain your AUR packages? More to the point, are you maintaining packages on AUR as part of your official responsibilities? Or just in spare time? Leaving aside, for the moment, all other arguments regarding blocking outbound SSH, I believe these are fundamental questions. On Tue, Jun 16, 2015 at 4:22 PM, Alan Jenkins alan.james.jenk...@gmail.com wrote: Hey Giancario, Most of the large companies block everything and start from there, normally everything is blocked outbound and only things that are business critical are allowed until the business is able to function. In many cases they will block all outbound traffic and only allow access to the internet via ftp, http and the mitm style https via a proxy that is able to scan the content being sent across the connections to ensure they do not fall foul of a trojan or other malware. So unless I am missing something how are you going to tunnel out of a network if you only have port 21, 80 and 443 which are all really just going to the proxy server? If you do know a way I would love to hear it as I am interested, but as I stated in the previous email we are off topic. The problem is that no matter how hard you moan at the people in control of the firewalls they will normally not allow access to something unless *they* deem it to be secure, and once the person you are communicating with gets annoyed with you they will just send you to the next guy until you get annoyed and just give up (been there done that). Can we please stick to the feasibility of doing git+https? Github + Bitbucket are able to do it so surely we can too right? Or is there too much code relying on the SSH public key auth now? On 16 June 2015 at 20:30, Giancarlo Razzolini grazzol...@gmail.com wrote: Em 16-06-2015 14:20, Alan Jenkins escreveu: Also may I remind you that the focus of this conversation is allowing users in corporate environments access to be able to contribute to the AUR. These environments block SSH for multiple reasons but are able to allow HTTPS as they are able to more tightly regulate it. There are literally tons of ways to tunnel out of a network. SSH is just one of them. Instead of blocking anything, network admins should monitor the traffic using netflow, and set alarms when too much data is leaving the network. That would prevent a lot of data breaches. Or at least minimize their impact. Expecting to block something to avoid information breach, or any other kind of data theft is dumb. Also, come on people. It's 2015. Doesn't everybody also have a machine at home? Cheers, Giancarlo Razzolini
Re: [aur-general] Git over HTTPS
Hey Giancario, Most of the large companies block everything and start from there, normally everything is blocked outbound and only things that are business critical are allowed until the business is able to function. In many cases they will block all outbound traffic and only allow access to the internet via ftp, http and the mitm style https via a proxy that is able to scan the content being sent across the connections to ensure they do not fall foul of a trojan or other malware. So unless I am missing something how are you going to tunnel out of a network if you only have port 21, 80 and 443 which are all really just going to the proxy server? If you do know a way I would love to hear it as I am interested, but as I stated in the previous email we are off topic. The problem is that no matter how hard you moan at the people in control of the firewalls they will normally not allow access to something unless *they* deem it to be secure, and once the person you are communicating with gets annoyed with you they will just send you to the next guy until you get annoyed and just give up (been there done that). Can we please stick to the feasibility of doing git+https? Github + Bitbucket are able to do it so surely we can too right? Or is there too much code relying on the SSH public key auth now? On 16 June 2015 at 20:30, Giancarlo Razzolini grazzol...@gmail.com wrote: Em 16-06-2015 14:20, Alan Jenkins escreveu: Also may I remind you that the focus of this conversation is allowing users in corporate environments access to be able to contribute to the AUR. These environments block SSH for multiple reasons but are able to allow HTTPS as they are able to more tightly regulate it. There are literally tons of ways to tunnel out of a network. SSH is just one of them. Instead of blocking anything, network admins should monitor the traffic using netflow, and set alarms when too much data is leaving the network. That would prevent a lot of data breaches. Or at least minimize their impact. Expecting to block something to avoid information breach, or any other kind of data theft is dumb. Also, come on people. It's 2015. Doesn't everybody also have a machine at home? Cheers, Giancarlo Razzolini
Re: [aur-general] Git over HTTPS
Em 16-06-2015 17:22, Alan Jenkins escreveu: Most of the large companies block everything and start from there, normally everything is blocked outbound and only things that are business critical are allowed until the business is able to function. In many cases they will block all outbound traffic and only allow access to the internet via ftp, http and the mitm style https via a proxy that is able to scan the content being sent across the connections to ensure they do not fall foul of a trojan or other malware. This is stupid, as I already pointed. Besides, unless the machines are rigged with a self signed CA on their browsers stores, you can't inspect anything without trowing a big warning to every https site the user visit. It certainly breaks a lot of mobile apps functionality. So unless I am missing something how are you going to tunnel out of a network if you only have port 21, 80 and 443 which are all really just going to the proxy server? If you do know a way I would love to hear it as I am interested, but as I stated in the previous email we are off topic. You can punch a hole using DNS requests, you can use https, you can use websockets, you can use a VPN, etc. As I said, there are a lot of options. The problem is that no matter how hard you moan at the people in control of the firewalls they will normally not allow access to something unless *they* deem it to be secure, and once the person you are communicating with gets annoyed with you they will just send you to the next guy until you get annoyed and just give up (been there done that). I'm not moanning at the people in control of the firewalls (heck, I'm one of them). I'm complaining with the OP requests and demands that AUR devs do something because he needs it. Can we please stick to the feasibility of doing git+https? Github + Bitbucket are able to do it so surely we can too right? Or is there too much code relying on the SSH public key auth now? Is it feasible? Of course it is. Just install sshlp in the machine, configure it, configure nginx and ssh, and you're done. But you can also implement a token auth system over https, like the one github have, so we could have git over https. I don't see the devs doing it also, but it would be better than to run sshlp on the machine. Again, you can always use another network for doing all this. A more open one. Cheers, Giancarlo Razzolini
Re: [aur-general] Git over HTTPS
On Tue, Jun 16, 2015 at 08:11:59PM -0300, Giancarlo Razzolini wrote: Em 16-06-2015 17:22, Alan Jenkins escreveu: [...] The problem is that no matter how hard you moan at the people in control of the firewalls they will normally not allow access to something unless *they* deem it to be secure, and once the person you are communicating with gets annoyed with you they will just send you to the next guy until you get annoyed and just give up (been there done that). I'm not moanning at the people in control of the firewalls (heck, I'm one of them). I'm complaining with the OP requests and demands that AUR devs do something because he needs it. From my POV you are moaning because someone's asking for help to contribute to Arch! /M -- Magnus Therning OpenPGP: 0xAB4DFBA4 email: mag...@therning.org jabber: mag...@therning.org twitter: magthe http://therning.org/magnus Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous signature.asc Description: PGP signature
Re: [aur-general] Git over HTTPS
I am with the OP on this, having worked in a cloud security company I understand why they block port 22 out bound and know it to be a common problem. It is blocked to stop employees accidentally or intentionally leaking important customer or business data. You can also use SSH to bypass security measures in place within the network and even create tunnels back into the network. Seriously I believe that there should be the option to do git over ssh as the limitation to just SSH is going to cause problems for those in corporate environments meaning we will lose out. On Tue, 16 Jun 2015 05:33 Eli Schwartz eschwart...@gmail.com wrote: It is not necessarily Arch's problem that a tiny minority of users have the standard connection methods blocked. While it would be nice if lots of options are offered for every possible scenario, that may not necessarily happen. Think of Github's alternative method as being a bonus, not something to be taken for granted. :) And the move to git repos may already be alienating some people. Regardless, progress and efficiency have been made a priority over preserving every last contributor. -- Eli Schwartz
Re: [aur-general] Git over HTTPS
On 15 June 2015 at 21:33, Giancarlo Razzolini grazzol...@gmail.com wrote: Em 15-06-2015 16:26, Tom Swartz escreveu: With all due respect, requiring that a user punch holes in their security firewalls is not a proper or long term solution to the issue at hand. It is the only solution. AFAICS it's the only solution only due to decisions made by the people maintaining AUR, or is there some technical reason that makes it *impossible* to allow HTTPS access to the git repos? For home users, this might be a valid (although no less sane) solution, but in corporate networks where the firewall rules are crafted for a reason (e.g. to protect the rest of the devices on the network). A rule that denies outgoing SSH access is a dumb one. It doesn't protect the rest of the devices on the network. I fully agree with you, but you make a very common mistake here: you apply logic and rational thinking to a situation that isn't governed by it :) You know it's a silly rule, I know it's a silly rule, everyone I interact with at work on a daily basis knows it's a silly rule. However, convincing the IT department of a 5+ behemoth of a company that it's a silly rule *and that it should be changed* is a huge undertaking! I firmly believe that restricting access to SSH, port 22 only, is something that will greatly hinder wide adoption. At the very least, it will prevent myself from uploading/updating my several AUR packages. Instead of requiring others to solve your problem, you should explain to your network administrators that this rule is counterproductive. I don't really think that this will hinder adoption since port 22 is the default ssh port. You clearly are fortunate enough to only be surrounded by people who base their decisions on logic and who are willing to go back on earlier decisions, and make changes solely based on well-founded arguments presented by engineers. I've worked in about 10+ different organisations, ranging in size from 50 to 10+ and I have still to find a place like the one you are in. I strongly urge you to *never* switch jobs! /M -- Magnus Therning OpenPGP: 0xAB4DFBA4 email: mag...@therning.org jabber: mag...@therning.org twitter: magthe http://therning.org/magnus
Re: [aur-general] Git over HTTPS
On Mon, 15 Jun 2015 11:57:26 -0400 Tom Swartz t...@tswartz.net wrote: Hi all, The majority of my work happens behind corporate firewalls where ssh out via port 22 is not an option. Is there a way to configure GitHub-like SSH via HTTPS ports? https://help.github.com/articles/using-ssh-over-the-https-port/ I'd be greatly appreciative if this was the case. Thanks! What it comes down to is that you want Arch to provide a way for you to bypass security restrictions your employer has put into place. Does this really sound like a good idea?
Re: [aur-general] Git over HTTPS
Le mardi 16 juin 2015 01:37:36 Doug Newgard a écrit : What it comes down to is that you want Arch to provide a way for you to bypass security restrictions your employer has put into place. Does this really sound like a good idea? But Arch should be more committed and friendly to its contributors than to their blind employers, to whom Arch is not tied at all. Security is something put forward to mask many other goals... control, power... I won't elaborate any further.
Re: [aur-general] Git over HTTPS
I am with the OP on this, having worked in a cloud security company I understand why they block port 22 out bound and know it to be a common problem. It is blocked to stop employees accidentally or intentionally leaking important customer or business data. You can also use SSH to bypass security measures in place within the network and even create tunnels back into the network. Seriously I believe that there should be the option to do git over ssh as the limitation to just SSH is going to cause problems for those in corporate environments meaning we will lose out. On Tue, 16 Jun 2015 05:33 Eli Schwartz eschwart...@gmail.com wrote: It is not necessarily Arch's problem that a tiny minority of users have the standard connection methods blocked. While it would be nice if lots of options are offered for every possible scenario, that may not necessarily happen. Think of Github's alternative method as being a bonus, not something to be taken for granted. :) And the move to git repos may already be alienating some people. Regardless, progress and efficiency have been made a priority over preserving every last contributor. -- Eli Schwartz Am Dienstag, 16. Juni 2015, 06:24:05 schrieb Alan Jenkins: I am with the OP on this, having worked in a cloud security company I understand why they block port 22 out bound and know it to be a common problem. It is blocked to stop employees accidentally or intentionally leaking important customer or business data. With that reasoning you have to block 80 and 443 too, but I don't think that the why is the really important point. I think that this is a reason more to implement an alternative of uploading a aur ball, as discussed in another thread, and creating a git commit from it. I don't know any implementation details, but this shouldn't be too hard as the useres are autheticated by the webserver already. Alex signature.asc Description: This is a digitally signed message part.
Re: [aur-general] Git over HTTPS
* Alexander Görtz a...@nyloc.de (Tue, 16 Jun 2015 11:04:51 +0200): I think that this is a reason more to implement an alternative of uploading a aur ball, as discussed in another thread, and creating a git commit from it. I don't know any implementation details, but this shouldn't be too hard as the useres are autheticated by the webserver already. Lukas already explained in the second half of [1] why this is hardly an option. Best, Marcel [1]https://lists.archlinux.org/pipermail/aur-general/2015-June/030880.html pgpR2xjnb1Mae.pgp Description: OpenPGP digital signature
Re: [aur-general] Git over HTTPS
On 15/06, Tom Swartz wrote: Hi all, The majority of my work happens behind corporate firewalls where ssh out via port 22 is not an option. Is there a way to configure GitHub-like SSH via HTTPS ports? https://help.github.com/articles/using-ssh-over-the-https-port/ I'd be greatly appreciative if this was the case. You'll have to use something like the sslh multiplexer -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/ signature.asc Description: PGP signature
[aur-general] Git over HTTPS
Hi all, The majority of my work happens behind corporate firewalls where ssh out via port 22 is not an option. Is there a way to configure GitHub-like SSH via HTTPS ports? https://help.github.com/articles/using-ssh-over-the-https-port/ I'd be greatly appreciative if this was the case. Thanks! -- Tom Swartz
Re: [aur-general] Git over HTTPS
It is not necessarily Arch's problem that a tiny minority of users have the standard connection methods blocked. While it would be nice if lots of options are offered for every possible scenario, that may not necessarily happen. Think of Github's alternative method as being a bonus, not something to be taken for granted. :) And the move to git repos may already be alienating some people. Regardless, progress and efficiency have been made a priority over preserving every last contributor. -- Eli Schwartz
Re: [aur-general] Git over HTTPS
Em 15-06-2015 22:20, Tom Swartz escreveu: I'm not requiring that others solve my problem, Giancarlo. As mentioned, this is an impossibility in our organization, and (I'm sure) many others. Not that many, I hope. There are many technical reasons for this limitation in our organization, too in-depth to discuss here. None of them are technical, but are misguided choices and preferences. I've pointed out an issue which I'm sure currently will will continue to affect users, and here is my suggested solution: I'm stating that the latest update the the AUR, which seems to be `git-via-ssh-port-22-only` should expand the options for use. It's not via ssh only. You have the option of clonning the repo over https. Of course it's read only, but you at least can see the contents of the repo. I'm suggesting that there should at least be some discussion about adopting a GitHub-style connections; wherein standard connections are via standard protocol; ssh on port 22, or (optionally, in the instances where it's not technically feasible) via an alternate method; ssh via port 443. While this exact solution does not need to be followed to the letter, I'm describing it here so that my point may be made. Strangely enough, github only allow this method of connection for their github.com repos, not the, aham, GitHub Enterprise repos. Guessing these poor companies have to allow ssh over port 22 because the evil github won't allow other ports. I can say with 100% certainty that my PKGBUILDS will not be updated without an alternate form of access that is not SSH via Port 22. It's infeasible to transport my PKGBUILDS off-site just so I can run some git commands on another network. I'd welcome any suggestions otherwise. A PKGBUILD of only a few Kb? You can't email it to yourself? Really, your arguments are getting more and more pointless. I'm really sorry for you that you can't access an unblocked internet. Cheers, Giancarlo Razzolini
Re: [aur-general] Git over HTTPS
Instead of requiring others to solve your problem, you should explain to your network administrators that this rule is counterproductive. I don't really think that this will hinder adoption since port 22 is the default ssh port. I'm not requiring that others solve my problem, Giancarlo. As mentioned, this is an impossibility in our organization, and (I'm sure) many others. There are many technical reasons for this limitation in our organization, too in-depth to discuss here. I've pointed out an issue which I'm sure currently will will continue to affect users, and here is my suggested solution: I'm stating that the latest update the the AUR, which seems to be `git-via-ssh-port-22-only` should expand the options for use. I'm suggesting that there should at least be some discussion about adopting a GitHub-style connections; wherein standard connections are via standard protocol; ssh on port 22, or (optionally, in the instances where it's not technically feasible) via an alternate method; ssh via port 443. While this exact solution does not need to be followed to the letter, I'm describing it here so that my point may be made. I can say with 100% certainty that my PKGBUILDS will not be updated without an alternate form of access that is not SSH via Port 22. It's infeasible to transport my PKGBUILDS off-site just so I can run some git commands on another network. I'd welcome any suggestions otherwise. Cheers, -- Thomas Swartz
Re: [aur-general] Git over HTTPS
Em 15-06-2015 16:26, Tom Swartz escreveu: With all due respect, requiring that a user punch holes in their security firewalls is not a proper or long term solution to the issue at hand. It is the only solution. For home users, this might be a valid (although no less sane) solution, but in corporate networks where the firewall rules are crafted for a reason (e.g. to protect the rest of the devices on the network). A rule that denies outgoing SSH access is a dumb one. It doesn't protect the rest of the devices on the network. As I mentioned in my original posting, (and as several other users mentioned) many of the solutions are server-side fixes. Which requires using software that, not only can introduce security issues, can decrease the performance. I've used sshlp on the past, although I don't think it has any exploitable bugs, it's not as widely used as nginx and openssh itself. I firmly believe that restricting access to SSH, port 22 only, is something that will greatly hinder wide adoption. At the very least, it will prevent myself from uploading/updating my several AUR packages. Instead of requiring others to solve your problem, you should explain to your network administrators that this rule is counterproductive. I don't really think that this will hinder adoption since port 22 is the default ssh port. Cheers,
Re: [aur-general] Git over HTTPS
2015-06-15 16:33 GMT-03:00 Giancarlo Razzolini grazzol...@gmail.com: Em 15-06-2015 16:26, Tom Swartz escreveu: With all due respect, requiring that a user punch holes in their security firewalls is not a proper or long term solution to the issue at hand. It is the only solution. Is not the only as pointer in this thread, also you not considered the idea that burocracy for somethink that simple as oppen a port could take months if not year or even coutless failed attempts? For home users, this might be a valid (although no less sane) solution, but in corporate networks where the firewall rules are crafted for a reason (e.g. to protect the rest of the devices on the network). A rule that denies outgoing SSH access is a dumb one. It doesn't protect the rest of the devices on the network. In my school we get attempts to forcebrute into ouir server... this once was attempted throw port 22, that what I get in response for request open port 22 in my school firewal. Therefor they refuse to open 22 since that insident. As I mentioned in my original posting, (and as several other users mentioned) many of the solutions are server-side fixes. Which requires using software that, not only can introduce security issues, can decrease the performance. I've used sshlp on the past, although I don't think it has any exploitable bugs, it's not as widely used as nginx and openssh itself. or you think is saner that every user repeat a process for every machine, instead of offerted an alternative port for those countless users that cant (as I mention ealy) oppen 22? I firmly believe that restricting access to SSH, port 22 only, is something that will greatly hinder wide adoption. At the very least, it will prevent myself from uploading/updating my several AUR packages. Instead of requiring others to solve your problem, you should explain to your network administrators that this rule is counterproductive. I don't really think that this will hinder adoption since port 22 is the default ssh port. Well burocracy and dumb admins are nought to not let you open port 22, this word is a place ful of peoples of all kinds, and full of dumb decisions. Cheers, -- *Pablo Lezaeta*
Re: [aur-general] Git over HTTPS
Le 15/06/2015 22:00, Pablo Lezaeta Reyes a écrit : 2015-06-15 16:33 GMT-03:00 Giancarlo Razzolini grazzol...@gmail.com: Em 15-06-2015 16:26, Tom Swartz escreveu: A rule that denies outgoing SSH access is a dumb one. It doesn't protect the rest of the devices on the network. In my school we get attempts to forcebrute into ouir server... this once was attempted throw port 22, that what I get in response for request open port 22 in my school firewal. Therefor they refuse to open 22 since that insident. Then you should precise you want *outgoing* on port 22 to be open. Not /incoming/. Bruno signature.asc Description: OpenPGP digital signature
[aur-general] Git over HTTPS
If your network admins don't know the difference between incoming and outgoing ports, or not opening things like ssh ports to the internet that really isn't an Arch problem... - Justin -- Regards, Justin Dray E: jus...@dray.be M: 0433348284
Re: [aur-general] Git over HTTPS
Em 15-06-2015 17:00, Pablo Lezaeta Reyes escreveu: Is not the only as pointer in this thread, also you not considered the idea that burocracy for somethink that simple as oppen a port could take months if not year or even coutless failed attempts? Well, each organization has it's own process. But, it doesn't protect any internal machine not to allow outgoing ssh. In my school we get attempts to forcebrute into ouir server... this once was attempted throw port 22, that what I get in response for request open port 22 in my school firewal. Yes, this is a common problem. You can have some sort of blocking daemon, like fail2ban, or you can change the ssh port altogether. But, I don't see arch doing this, since tcp port 22 is the IANA assigned port for SSH. I bet they have bruteforce mitigations in place, on top of only allowing PubKey authentication. Therefor they refuse to open 22 since that insident. or you think is saner that every user repeat a process for every machine, instead of offerted an alternative port for those countless users that cant (as I mention ealy) oppen 22? Well burocracy and dumb admins are nought to not let you open port 22, this word is a place ful of peoples of all kinds, and full of dumb decisions. If they can't distinguish, as other people already mentioned, from incoming and outgoing, then they should really rethink their carreers. It's the same thing with ICMP or VLAN's. I don't really worry about being blocked at any place I might go because I use a VPN. I think everybody should get one, not just for better privacy and unblocked internet access, but for avoiding ISP QoS. But it's sad to know that some people will let this kind of blocking (which is relatively easy to circumvent) prevent them from contributing to arch. Cheers, Giancarlo Razzolini
