Re: Secure Vcs-Git on alioth

2016-07-17 Thread Yuri D'Elia 
On Sun, Jul 17 2016, Christian Seiler wrote:
> That way, I always use SSH for alioth (and can then push
> without trouble, even if I first checked out a repository
> via debcheckout or similar), but the repositories can
> use the HTTPS URI instead for people without an alioth
> account.

That's something I didn't knew on ~/.gitconfig yet.
Will be helpful in other scenarios as well.

Thanks for mentioning.

Re: Secure Vcs-Git on alioth

2016-07-17 Thread Yuri D'Elia 
On Sun, Jul 17 2016, Jakub Wilk wrote:
> Are you sure it's about git:// vs https://?

Not anymore?!

> Shallow cloning has never worked for me reliably:
>
> $ git clone -v --depth=10 git://anonscm.debian.org/collab-maint/trend.git
> Cloning into 'trend'...
> Looking up anonscm.debian.org ... done.
> Connecting to anonscm.debian.org (port 9418) ... 5.153.231.21 done.
> fatal: The remote end hung up unexpectedly
> fatal: early EOF
> fatal: index-pack failed

I generally clone with --depth=1, and that's what I was trying.
But yes, now it doesn't work anymore even with git://.

Is this intentional on alioth? [maybe to avoid extra load due to remote
repack?]

Re: Secure Vcs-Git on alioth

2016-07-17 Thread Christian Seiler 
On 07/17/2016 02:15 PM, Yuri D'Elia wrote:
> Regarding Lintian's informational warning about insecure git:// URIs in
> the Vcs-Git field:
> 
> https://lintian.debian.org/tags/vcs-field-uses-insecure-uri.html
> 
> I can switch easily from:
> 
>   git://anonscm.debian.org/collab-maint/trend.git
> 
> to
> 
>   https://anonscm.debian.org/git/collab-maint/trend.git
> 
> however shallow cloning (which I use regularly), breaks.
> 
> I found an old mention exactly about this issue that boiled down to use
> your alioth account to use git+ssh. However, this is _not_ what I would
> suggest to a random user expecting to be able to clone from the provided
> URL.
> 
> So, how serious is this "suggestion"?

I have the following in my ~/.gitconfig:

[url "git+ssh://git.debian.org/git/"]
insteadOf = git://anonscm.debian.org/
insteadOf = git://git.debian.org/
insteadOf = https://anonscm.debian.org/git/
insteadOf = https://anonscm.debian.org/cgit/
insteadOf = http://anonscm.debian.org/git/
insteadOf = http://anonscm.debian.org/cgit/

That way, I always use SSH for alioth (and can then push
without trouble, even if I first checked out a repository
via debcheckout or similar), but the repositories can
use the HTTPS URI instead for people without an alioth
account.

Regards,
Christian

Re: Secure Vcs-Git on alioth

2016-07-17 Thread Jakub Wilk 

* Yuri D'Elia , 2016-07-17, 14:15:
Regarding Lintian's informational warning about insecure git:// URIs in 
the Vcs-Git field:


https://lintian.debian.org/tags/vcs-field-uses-insecure-uri.html

I can switch easily from:

 git://anonscm.debian.org/collab-maint/trend.git

to

 https://anonscm.debian.org/git/collab-maint/trend.git

however shallow cloning (which I use regularly), breaks.


Are you sure it's about git:// vs https://? Shallow cloning has never 
worked for me reliably:


$ git clone -v --depth=10 git://anonscm.debian.org/collab-maint/trend.git
Cloning into 'trend'...
Looking up anonscm.debian.org ... done.
Connecting to anonscm.debian.org (port 9418) ... 5.153.231.21 done.
fatal: The remote end hung up unexpectedly
fatal: early EOF
fatal: index-pack failed

$ git clone -v --depth=10 https://anonscm.debian.org/git/collab-maint/trend.git
Cloning into 'trend'...
POST git-upload-pack (156 bytes)
POST git-upload-pack (165 bytes)
fatal: The remote end hung up unexpectedly
fatal: protocol error: bad pack header

--
Jakub Wilk

Secure Vcs-Git on alioth

2016-07-17 Thread Yuri D'Elia 
Regarding Lintian's informational warning about insecure git:// URIs in
the Vcs-Git field:

https://lintian.debian.org/tags/vcs-field-uses-insecure-uri.html

I can switch easily from:

  git://anonscm.debian.org/collab-maint/trend.git

to

  https://anonscm.debian.org/git/collab-maint/trend.git

however shallow cloning (which I use regularly), breaks.

I found an old mention exactly about this issue that boiled down to use
your alioth account to use git+ssh. However, this is _not_ what I would
suggest to a random user expecting to be able to clone from the provided
URL.

So, how serious is this "suggestion"?