Re: [fossil-users] fossil and SSL
On Sun, 2011-11-13 at 12:50 -0500, Richard Hipp wrote: On Sun, Nov 13, 2011 at 6:39 AM, ST smn...@gmail.com wrote: Hi, I'm new to fossil and have several questions: 1) how do I open new tickets on fossil-scm.org? I didn't see something like new ticket on the web UI... Anonymous ticketing was turned off because it was being flooded with support requests, rather than actual bug reports. For example, if it had been turned on, you probably would have written a bug report for this very question, wouldn't you? You are astute ;) We prefer to reserve tickets for reporting actual malfunctions, and so on fossil-scm.org, we require a username/password in order to write a new ticket. That goes a long way toward keeping down the noise. It has been suggested that we create a hold for moderation system for tickets, such that anonymous tickets can be input, but do not actually go into the system until approved by a registered user. That would allow random passers-by on the internet to write tickets, but would also let us filter the tickets to keep real bug reports and discard support requests, test tickets, and spam. I'll probably add a moderator system at some point, when I get a chance, if somebody else doesn't volunteer to do it first. But it isn't available right this moment. Sorry. With such excellent responses there is no need for this feature :) 2) why do I have to do this http://www.fossil-scm.org/index.html/doc/trunk/www/custom_ticket.wiki manually? Shouldn't this be there out of the box? It's kind of basic functionality that one finds in any ticket tracking app... It is there out-of-the-box. The page above merely shows you how to modify the default setup, in case you want to do something a little different from what the out-of-the-box configuration does. Pardon. I'm on a debian stable with fossil version from 2010-08-08 21:16:13 . I didn't see this functionality in my old fossil version and assumed (after reading that page) that it is intentionally not implemented. 3) as far as I understand if one accidentally starts fossil server/fossil ui - it will provide insecure access to the repository even if one had configured inetd/stunnel/fossil to use SSL, right? Is there a way to avoid such situations and force fossil to always use SSL? fossil ui binds to 127.0.0.1 only, so it is not accessible from other machines on the network. If you do fossil server then your repository will be accessible remotely (on port 8080 by default) but people still need to know user names and passwords in order to log in. Yes, but data stream is unencrypted. But it seems rather difficult to accidently run fossil server, no? How do you accidentally start a server? Well, only the universe can come into existence completely accidently, what I meant was when somebody types fossil server without realizing or forgetting for a moment that the data will be sent unencrypted. Another possible reason for misusing fossil server could be laziness: two employers decide to exchange data ad hoc using fossil server without SSL because, let's say, certificate has expired, or wasn't issued (yet) for the client, even though the client is allowed to access the repo. So if there were option like always use SSL - disabling it would be as difficult as issuing new certificate and the two would prefer the later. Thank you, ST ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] fossil and SSL
Hi, I'm new to fossil and have several questions: 1) how do I open new tickets on fossil-scm.org? I didn't see something like new ticket on the web UI... 2) why do I have to do this http://www.fossil-scm.org/index.html/doc/trunk/www/custom_ticket.wiki manually? Shouldn't this be there out of the box? It's kind of basic functionality that one finds in any ticket tracking app... 3) as far as I understand if one accidentally starts fossil server/fossil ui - it will provide insecure access to the repository even if one had configured inetd/stunnel/fossil to use SSL, right? Is there a way to avoid such situations and force fossil to always use SSL? 4) what happens if one autosync/pull/push from a remote repository, does it also expose the local repository as in 3) ? thank you very much, ST ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] fossil and SSL
On 11/13/11 12:39, ST wrote: 3) as far as I understand if one accidentally starts fossil server/fossil ui - it will provide insecure access to the repository even if one had configured inetd/stunnel/fossil to use SSL, right? Is there a way to avoid such situations and force fossil to always use SSL? Depending on the situation, it may be relevant to note that fossil ui only listens on localhost. fossil server does not currently support SSL, though if there's interest in this, I can look into it. (For completeness, I mention setting up Fossil as a cgi application using apache, because you can fine-tune access to the repository using client certificate rules). 4) what happens if one autosync/pull/push from a remote repository, does it also expose the local repository as in 3) ? I don't quite understand what you're asking -- are you asking if sync/pull/push temporarily starts a server? If that's the case, then the answer is no. -- Kind regards, Jan Danielsson signature.asc Description: OpenPGP digital signature ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] fossil and SSL
On Sun, 2011-11-13 at 16:14 +0100, Jan Danielsson wrote: On 11/13/11 12:39, ST wrote: 3) as far as I understand if one accidentally starts fossil server/fossil ui - it will provide insecure access to the repository even if one had configured inetd/stunnel/fossil to use SSL, right? Is there a way to avoid such situations and force fossil to always use SSL? Depending on the situation, it may be relevant to note that fossil ui only listens on localhost. So there is no chance that somebody from another IP will be able to access the repository, even if he has valid user login/password, right? fossil server does not currently support SSL, though if there's interest in this, I can look into it. yes, there is. Thank you in advance! Should I open a feature request? (if yes where can I do it?) (For completeness, I mention setting up Fossil as a cgi application using apache, because you can fine-tune access to the repository using client certificate rules). Let's assume I did it. What happens when I accidentally start fossil server on a port different from that of apache? It will provide access to the repository without SSL, so neither apache nor stunnel do not help in such situation, correct? 4) what happens if one autosync/pull/push from a remote repository, does it also expose the local repository as in 3) ? I don't quite understand what you're asking -- are you asking if sync/pull/push temporarily starts a server? If that's the case, then the answer is no. yes, that's what I meant :) Thank you, ST ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] fossil and SSL
On Sun, Nov 13, 2011 at 6:39 AM, ST smn...@gmail.com wrote: Hi, I'm new to fossil and have several questions: 1) how do I open new tickets on fossil-scm.org? I didn't see something like new ticket on the web UI... Anonymous ticketing was turned off because it was being flooded with support requests, rather than actual bug reports. For example, if it had been turned on, you probably would have written a bug report for this very question, wouldn't you? We prefer to reserve tickets for reporting actual malfunctions, and so on fossil-scm.org, we require a username/password in order to write a new ticket. That goes a long way toward keeping down the noise. It has been suggested that we create a hold for moderation system for tickets, such that anonymous tickets can be input, but do not actually go into the system until approved by a registered user. That would allow random passers-by on the internet to write tickets, but would also let us filter the tickets to keep real bug reports and discard support requests, test tickets, and spam. I'll probably add a moderator system at some point, when I get a chance, if somebody else doesn't volunteer to do it first. But it isn't available right this moment. Sorry. 2) why do I have to do this http://www.fossil-scm.org/index.html/doc/trunk/www/custom_ticket.wiki manually? Shouldn't this be there out of the box? It's kind of basic functionality that one finds in any ticket tracking app... It is there out-of-the-box. The page above merely shows you how to modify the default setup, in case you want to do something a little different from what the out-of-the-box configuration does. 3) as far as I understand if one accidentally starts fossil server/fossil ui - it will provide insecure access to the repository even if one had configured inetd/stunnel/fossil to use SSL, right? Is there a way to avoid such situations and force fossil to always use SSL? fossil ui binds to 127.0.0.1 only, so it is not accessible from other machines on the network. If you do fossil server then your repository will be accessible remotely (on port 8080 by default) but people still need to know user names and passwords in order to log in. But it seems rather difficult to accidently run fossil server, no? How do you accidentally start a server? 4) what happens if one autosync/pull/push from a remote repository, does it also expose the local repository as in 3) ? If you fossil push then information is transferred from the local repo to the remote repo. That's what fossil push is suppose to do. Fossil push/pull/sync does not activate the server mode, if that is what you are asking. thank you very much, ST ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users