From: fluxboks@openmailbox.org
To: 22883@debbugs.gnu.org
Subject: bug#22883: Trustable "guix pull"
Date: Sun, 15 May 2016 15:40:49 +0300 [thread overview]
Message-ID: <c9f22542d79aaf0503b68ba70f0ce912@openmailbox.org> (raw)
In-Reply-To: <87io14sqoa.fsf@dustycloud.org>
Please, for the love of all/any gods!(if any)
Fix this issue :)
For example, you can get this https to work:
https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
(it doesn't currently)
$ wget https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
--2016-05-15 15:32:15--
https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
Resolving git.savannah.gnu.org... 208.118.235.72
Connecting to git.savannah.gnu.org|208.118.235.72|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol
Unable to establish SSL connection.
Chromium says:
This site can’t provide a secure connection
git.savannah.gnu.org sent an invalid response.
Learn more about this problem.
ERR_SSL_PROTOCOL_ERROR
This works just fine though: https://savannah.gnu.org/ and
https://gnu.org/ and https://www.gnu.org/
As a reminder, letsencrypt and startssl are a thing - both provide free
certs. If that's the issue.
But I presume there must be another reason why there's no https,
therefore would you please consider hosting it somewhere like github? or
if github isn't inline with GNU(for whatever reasons, eg. license), then
surely notabug.org is(according to libreboot which recommends it instead
of github)! Please, pretty please, consider it. At the very least you
could host a mirror/clone there(if not make it the permanent home of the
repo.) and someone(a dev) could push to both without even having two
remotes(ie. just the origin remote with two push urls is okay); so when
push-ing, both savannah and notabug would get updated(see below how),
and thus we(the users) could use the notabug link to get master.tar.gz
which would then be https.
It would be something like this:
https://https://notabug.org/guixuser/guix/archive/master.tar.gz
(so it's .gz not .xz, is that worse than serving it over plain http?)
I would actually recommend github for increased reliability, but
whatever! As long as it's not served over http anymore! Or find some way
of signing it? that's going to be harder than this!
Here's how to have two push refs in the same remote(origin):
Suppose that this
git remove -v show
shows this:
origin https://github.com/gorhill/uMatrix.git (fetch)
origin https://github.com/gorhill/uMatrix.git (push)
Then to add another push url to the same origin remote, you'd do:
re-add the already existing push url(from above):
git remote set-url --add --push origin
https://github.com/gorhill/uMatrix.git
now, this
git remote -v show
would show no changes!
and now add the new one:
git remote set-url --add --push origin
git@notabug.org:somethingelse/uMatrix.git
and now, this
git remote -v show
would show:
origin https://github.com/gorhill/uMatrix.git (fetch)
origin https://github.com/gorhill/uMatrix.git (push)
origin git@notabug.org:somethingelse/uMatrix.git (push)
So when you do 'git push', it will push to both (so it will prompt for
your ssh key password twice).
Of course for you the 'https://' urls from above would be 'git@'
instead! (they just happen to be https for me, since I don't have push
access)
I want to be honest here: this bug is a show stopper for me! It makes me
draw certain unfavorable conclusions about the mentality and seriousness
of the guix project devs. I wish it wouldn't, but really can you blame
me? I want to use guix but not until something's done about this so that
MITM is unlikely to happen here. At the very least let me pull this over
https, please!
If you use notabug.org then not only we(the users) can get/clone the git
repo over https, but we can also get/clone it over ssh! (instead of over
just plain git://). So that'd be two rabbits in one shot!
Please let me know if anything is going to be done about this, so that I
would know what to do next: wait or move on. No hard feels. Presumably
any direct answer would be better than no answer, so that I would know
what to do, rather than waste time waiting for an answer...
Thank you and I appreciate your time in reading all this!
-signed, an idiot. ;-) #whohasselfesteemamirite
next prev parent reply other threads:[~2016-05-16 17:39 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-02 18:03 bug#22883: Trustable "guix pull" Christopher Allan Webber
2016-03-02 19:26 ` Leo Famulari
2016-03-02 21:07 ` Christopher Allan Webber
2016-04-25 22:25 ` Ludovic Courtès
2016-04-26 0:13 ` Leo Famulari
2016-04-26 0:17 ` Thompson, David
2016-04-26 7:12 ` Ludovic Courtès
2016-04-30 4:43 ` Mike Gerwitz
2016-06-03 16:12 ` bug#22883: Authenticating a Git checkout Ludovic Courtès
2016-06-03 20:17 ` Leo Famulari
2016-06-04 11:04 ` Ludovic Courtès
2016-06-04 4:24 ` Mike Gerwitz
2016-06-04 11:17 ` Ludovic Courtès
2016-06-04 12:45 ` ng0
2016-06-06 12:20 ` ng0
2016-06-04 16:14 ` Mike Gerwitz
2016-06-05 20:39 ` Christopher Allan Webber
2016-06-05 21:15 ` Leo Famulari
2016-06-06 2:41 ` Mike Gerwitz
2016-06-06 7:01 ` Ludovic Courtès
2016-07-22 8:22 ` Ludovic Courtès
2016-07-22 12:58 ` Thompson, David
2016-07-22 13:58 ` Ludovic Courtès
2017-10-24 23:30 ` Ludovic Courtès
2019-12-27 19:48 ` Ricardo Wurmus
2019-12-28 14:47 ` Ludovic Courtès
2019-12-28 16:05 ` Ricardo Wurmus
2019-12-28 17:45 ` Ludovic Courtès
2020-04-30 15:32 ` Ludovic Courtès
2020-05-01 15:46 ` Justus Winter
2020-05-01 16:50 ` Ludovic Courtès
2020-05-01 17:04 ` Ludovic Courtès
2020-05-19 20:23 ` Ludovic Courtès
2020-06-01 14:07 ` bug#22883: Channel introductions Ludovic Courtès
2020-06-02 23:45 ` zimoun
2020-06-03 9:50 ` Ludovic Courtès
2020-06-03 16:20 ` zimoun
2020-06-04 9:55 ` Ludovic Courtès
2020-05-01 17:20 ` bug#22883: Authenticating a Git checkout Ludovic Courtès
2020-05-02 22:02 ` Ludovic Courtès
2020-05-04 8:03 ` Ludovic Courtès
2016-06-01 16:47 ` bug#22883: Discussion of TUF in the context of Git checkout authentication Ludovic Courtès
2016-05-15 12:40 ` fluxboks [this message]
2016-05-16 17:55 ` bug#22883: Trustable "guix pull" Thompson, David
2016-05-17 21:19 ` Ludovic Courtès
2016-06-04 16:19 ` Werner Koch
2016-06-04 22:27 ` Ludovic Courtès
2016-06-05 7:51 ` Werner Koch
2016-06-06 21:01 ` Leo Famulari
2016-06-07 8:08 ` bug#22883: gpg2 vs. gpg Ludovic Courtès
2016-06-07 11:25 ` Werner Koch
2016-06-07 12:58 ` ng0
2016-06-05 1:43 ` bug#22883: Trustable "guix pull" Mike Gerwitz
2018-08-28 19:56 ` Vagrant Cascadian
2018-09-02 16:05 ` Ludovic Courtès
2018-09-02 17:15 ` Vagrant Cascadian
2018-09-02 20:07 ` Ludovic Courtès
2019-12-20 22:11 ` bug#22883: Authenticating Git checkouts: step #1 Ludovic Courtès
[not found] ` <87mubmodfb.fsf_-_@gnu.org>
2019-12-21 1:33 ` zimoun
2019-12-27 12:58 ` Ludovic Courtès
[not found] ` <87eewqgc1v.fsf@gnu.org>
2019-12-27 20:47 ` Ricardo Wurmus
[not found] ` <87o8vto5rl.fsf@elephly.net>
2019-12-29 2:45 ` Vagrant Cascadian
[not found] ` <87a77bzw6p.fsf@yucca>
2019-12-29 7:34 ` Efraim Flashner
2019-12-30 21:29 ` Ludovic Courtès
2019-12-31 19:16 ` Jakub Kądziołka
2020-01-08 13:30 ` Ludovic Courtès
2020-06-02 13:49 ` bug#22883: Authenticating a Git checkout John Soo
2020-06-03 9:33 ` Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 1/9] git-authenticate: Cache takes a key parameter Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 2/9] git-authenticate: 'authenticate-commits' takes a #:keyring parameter Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 3/9] tests: Move OpenPGP helpers to (guix tests gnupg) Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 4/9] channels: 'latest-channel-instance' authenticates Git checkouts Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 5/9] channels: Make 'validate-pull' call right after clone/pull Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 6/9] .guix-channel: Add 'keyring-reference' Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 7/9] channels: Automatically add introduction for the official 'guix' channel Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 8/9] pull: Add '--disable-authentication' Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 9/9] DROP? channels: Add prehistorical authorizations to <channel-introduction> Ludovic Courtès
2020-06-08 22:04 ` bug#22883: [PATCH 1/9] git-authenticate: Cache takes a key parameter Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c9f22542d79aaf0503b68ba70f0ce912@openmailbox.org \
--to=fluxboks@openmailbox.org \
--cc=22883@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).