On Sun, Jun 26, 2011 at 10:16 AM, martin <mar...@siamect.com> wrote: > The https solution is not mature in the same way as the ssh solution. > SSH has protected Unix/Linux boxes for ages. >
One might argue that SSH has exposed Unix/Linux boxes to attacks, not protected them, for ages; just have a quick look at the security logs on your server, and you'll discover that SSH is the preferred choice of anyone targeting your server. SSH's will by default offer a connecting user a shell, the gitorious script bypasses this by restricting which actions a user can do on the server. > I don't understand why you are concerned about the dedicated git user > account... just lock it down properly. You have exactly the same > situation on every ssh server on the planet. > As I mentioned above, I suspect most users running their own Gitorious servers have sshd running as the root user, since otherwise they'd need a separate IP address/port in order to do maintenance on their servers. I don't think it's reasonable to assume people looking for a way to collaborate on code have experience in locking down a SSH daemon on their server. > And I also saw concerns about JGit and writing to the repos. I think all > writing to the repos should be done using code from the git project. > I really don't get this. JGit had a bug, and that bug was resolved. JGit is used in Eclipse by thousands of developers, and they trust it to do its job. JGit is also used in Gerrit, which means the Android repositories would be at stake if JGit didn't work. I don't think they'd use that if there was a real risk in doing so. Furthermore, have you looked at the vulnerabilities in Git over the last few years? You'll find plenty of buffer overflow vulnerabilities, command injection tricks etc. that don't exist in JGit. Would you be as skeptical to for instance the libgit2 project ( http://libgit2.github.com/)? Cheers, - Marius -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
