Re: Secure Vcs-Git on alioth
On Sun, Jul 17 2016, Christian Seiler wrote: > That way, I always use SSH for alioth (and can then push > without trouble, even if I first checked out a repository > via debcheckout or similar), but the repositories can > use the HTTPS URI instead for people without an alioth > account. That's something I didn't knew on ~/.gitconfig yet. Will be helpful in other scenarios as well. Thanks for mentioning.
Re: Secure Vcs-Git on alioth
On Sun, Jul 17 2016, Jakub Wilk wrote: > Are you sure it's about git:// vs https://? Not anymore?! > Shallow cloning has never worked for me reliably: > > $ git clone -v --depth=10 git://anonscm.debian.org/collab-maint/trend.git > Cloning into 'trend'... > Looking up anonscm.debian.org ... done. > Connecting to anonscm.debian.org (port 9418) ... 5.153.231.21 done. > fatal: The remote end hung up unexpectedly > fatal: early EOF > fatal: index-pack failed I generally clone with --depth=1, and that's what I was trying. But yes, now it doesn't work anymore even with git://. Is this intentional on alioth? [maybe to avoid extra load due to remote repack?]
Re: Secure Vcs-Git on alioth
On 07/17/2016 02:15 PM, Yuri D'Elia wrote: > Regarding Lintian's informational warning about insecure git:// URIs in > the Vcs-Git field: > > https://lintian.debian.org/tags/vcs-field-uses-insecure-uri.html > > I can switch easily from: > > git://anonscm.debian.org/collab-maint/trend.git > > to > > https://anonscm.debian.org/git/collab-maint/trend.git > > however shallow cloning (which I use regularly), breaks. > > I found an old mention exactly about this issue that boiled down to use > your alioth account to use git+ssh. However, this is _not_ what I would > suggest to a random user expecting to be able to clone from the provided > URL. > > So, how serious is this "suggestion"? I have the following in my ~/.gitconfig: [url "git+ssh://git.debian.org/git/"] insteadOf = git://anonscm.debian.org/ insteadOf = git://git.debian.org/ insteadOf = https://anonscm.debian.org/git/ insteadOf = https://anonscm.debian.org/cgit/ insteadOf = http://anonscm.debian.org/git/ insteadOf = http://anonscm.debian.org/cgit/ That way, I always use SSH for alioth (and can then push without trouble, even if I first checked out a repository via debcheckout or similar), but the repositories can use the HTTPS URI instead for people without an alioth account. Regards, Christian
Re: Secure Vcs-Git on alioth
* Yuri D'Elia, 2016-07-17, 14:15: Regarding Lintian's informational warning about insecure git:// URIs in the Vcs-Git field: https://lintian.debian.org/tags/vcs-field-uses-insecure-uri.html I can switch easily from: git://anonscm.debian.org/collab-maint/trend.git to https://anonscm.debian.org/git/collab-maint/trend.git however shallow cloning (which I use regularly), breaks. Are you sure it's about git:// vs https://? Shallow cloning has never worked for me reliably: $ git clone -v --depth=10 git://anonscm.debian.org/collab-maint/trend.git Cloning into 'trend'... Looking up anonscm.debian.org ... done. Connecting to anonscm.debian.org (port 9418) ... 5.153.231.21 done. fatal: The remote end hung up unexpectedly fatal: early EOF fatal: index-pack failed $ git clone -v --depth=10 https://anonscm.debian.org/git/collab-maint/trend.git Cloning into 'trend'... POST git-upload-pack (156 bytes) POST git-upload-pack (165 bytes) fatal: The remote end hung up unexpectedly fatal: protocol error: bad pack header -- Jakub Wilk
Secure Vcs-Git on alioth
Regarding Lintian's informational warning about insecure git:// URIs in the Vcs-Git field: https://lintian.debian.org/tags/vcs-field-uses-insecure-uri.html I can switch easily from: git://anonscm.debian.org/collab-maint/trend.git to https://anonscm.debian.org/git/collab-maint/trend.git however shallow cloning (which I use regularly), breaks. I found an old mention exactly about this issue that boiled down to use your alioth account to use git+ssh. However, this is _not_ what I would suggest to a random user expecting to be able to clone from the provided URL. So, how serious is this "suggestion"?