From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Simon Tournier <zimon.toutoune@gmail.com>
Cc: 46182@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
Subject: [bug#46182] [PATCH] lint: Add 'check-git-protocol' checker.
Date: Fri, 20 Oct 2023 11:37:56 -0400 [thread overview]
Message-ID: <877cnhi9t7.fsf@gmail.com> (raw)
In-Reply-To: <87v8b1mph6.fsf@gmail.com> (Simon Tournier's message of "Fri, 20 Oct 2023 14:45:57 +0200")
Hi,
Simon Tournier <zimon.toutoune@gmail.com> writes:
> Hi Maxim,
>
> On Thu, 19 Oct 2023 at 22:22, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
>
>> Thinking about this change though; why is it bad to fetch from git
>> places? There may be repos out there where it's the only offered way,
>> and as long as we're talking fixed output derivations, it seems moot
>> whether you use HTTPS, HTTP or X to retrieve the files (unless you are
>> worried about your traffic being monitored, but that's not in scope, I'd
>> say).
>
> Why would not it be in scope?
>
> Being able to strongly verify (sha256) that the content you fetch is the
> data you expect does not imply that the protocol for communicating
> cannot be exploited for other means.
>
> Well, git:// protocol is not supported by well-known forges. Quoting
> Pro Git book:
>
> The Cons
>
> Due to the lack of TLS or other cryptography, cloning over
> git:// might lead to an arbitrary code execution vulnerability,
> and should therefore be avoided unless you know what you are
> doing.
>
> https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols
>
> And I do not have enough imagination to find a way to exploit the git://
> protocol. However, it appears to me a good practise to warn when this
> protocol is used. Somehow, a lint message is a recommendation – a good
> practise – and not an absolute truth. :-)
>
> In short, from my point of view, the general rule reads: avoid git://
> protocol if you can. Obviously, if you cannot because it is the only
> offered way by some repositories, then let make an exception; but it
> does mean that’s a good practise.
OK, fair. I remove my objection, but I dislike warnings when they
cannot be acted upon (e.g. 'no coverage in software heritage' -- OK
neat, but I can't do anything about it, and it may not even support that
tarball ingestion yet).
--
Thanks,
Maxim
next prev parent reply other threads:[~2023-10-20 15:38 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-30 1:04 [bug#46182] [PATCH] lint: Add 'check-git-protocol' checker Leo Famulari
2021-03-11 0:14 ` zimoun
2021-03-11 1:46 ` Leo Famulari
2021-03-11 9:44 ` zimoun
2023-10-20 2:22 ` Maxim Cournoyer
2023-10-20 12:45 ` Simon Tournier
2023-10-20 15:37 ` Maxim Cournoyer [this message]
2021-03-11 22:29 ` Ludovic Courtès
2022-05-22 4:15 ` Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877cnhi9t7.fsf@gmail.com \
--to=maxim.cournoyer@gmail.com \
--cc=46182@debbugs.gnu.org \
--cc=leo@famulari.name \
--cc=zimon.toutoune@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.