From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:403:478a::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id aJJ0IgOfMmX51wAAauVa8A:P1 (envelope-from ) for ; Fri, 20 Oct 2023 17:38:43 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:478a::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id aJJ0IgOfMmX51wAAauVa8A (envelope-from ) for ; Fri, 20 Oct 2023 17:38:43 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4D7DC60366 for ; Fri, 20 Oct 2023 17:38:43 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=KC12uFyQ; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1697816323; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=yzREb6IJoVO4fDRfo3gNXKRRdkef1Uo+kiVM5/HrMW4=; b=p2jdZZiK/SDhrw8QAcvvyEk1owmXZvxNRsQkwvVLdqvUhFieRV0Sw8bTKt/vJ+/JoMtWLP +8i0q++YE1GQTfxCLskekSuSzC9GvBDSDqVOX+0ajnoI0QbKaV8IDCQbdESj+bK6IRrUX8 mIn2HsDf/G0j5lWGniaCiIyZRTHlEAIsw/65vWvGZwJotRIYvXvA48ZqM+HfEVT3pfW628 EYiXlAMpIilT6F/mYp8l3MjYwAtJ/ATifpGljIlOb07nMVjKXWPPk3LAj3SLHwLqBnKes4 7C9beFP6GhKNSP/puBaLgbDl3rWkBtv916G6alhODeTiNSR6n4R5PstpiV3YEQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1697816323; a=rsa-sha256; cv=none; b=a0BSITDfWOE1hcLfK66DwX90bxcOyZd1PnsGqC/H+nIlP1uZHoWspSIDv+qAPRUJ/2SB6L yAmas9jmMVqHg9weYlYcdoDYGvCmGBTZd45a2qKEu8hZdSK2lvxgRTOHjIL1Y60jsUUyRt of9h1wRw8Oc9SO8fwTBW8XBnf993bHIKxMWqqsV4214cXJNO04Fz/brp+YIQ1j3oRzdRUj oE3p5oTPAAkyxCzwiMK2yEGttjAkkvWcHdgRdQpClghXNDSiFlYrC6KGsofK8Y2trjPZY9 0Qc2KpJQFuEsliNdTYmsY9eWf8nlNiZUUEv/wjMNiN9oyptKw4HHmA0azoU+Fw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=KC12uFyQ; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qtra9-00046B-9N; Fri, 20 Oct 2023 11:38:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qtra7-00045Y-Ae for guix-patches@gnu.org; Fri, 20 Oct 2023 11:38:35 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qtra6-0002OR-CV for guix-patches@gnu.org; Fri, 20 Oct 2023 11:38:35 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qtraX-0000sq-JG for guix-patches@gnu.org; Fri, 20 Oct 2023 11:39:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#46182] [PATCH] lint: Add 'check-git-protocol' checker. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 20 Oct 2023 15:39:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46182 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Simon Tournier Cc: 46182@debbugs.gnu.org, Leo Famulari Received: via spool by 46182-submit@debbugs.gnu.org id=B46182.16978163153362 (code B ref 46182); Fri, 20 Oct 2023 15:39:01 +0000 Received: (at 46182) by debbugs.gnu.org; 20 Oct 2023 15:38:35 +0000 Received: from localhost ([127.0.0.1]:41234 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qtra6-0000s9-QK for submit@debbugs.gnu.org; Fri, 20 Oct 2023 11:38:35 -0400 Received: from mail-qv1-xf2a.google.com ([2607:f8b0:4864:20::f2a]:44435) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qtra3-0000rp-By for 46182@debbugs.gnu.org; Fri, 20 Oct 2023 11:38:33 -0400 Received: by mail-qv1-xf2a.google.com with SMTP id 6a1803df08f44-66cfd3a0e61so5852666d6.1 for <46182@debbugs.gnu.org>; Fri, 20 Oct 2023 08:38:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697816278; x=1698421078; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=yzREb6IJoVO4fDRfo3gNXKRRdkef1Uo+kiVM5/HrMW4=; b=KC12uFyQEMYYc60KVTkuMTALuqAlzO1KLcPiBqAQKAcfOg7NKcboPO4wlRwxt2XPBX p+GDDGE7a5WtbeRUD0/68pnCGAaXZ8BW2U5VcufgS20xCEwDibuQHl9XZzUdLDr+1EIn +0EXw3HUNsRL7dmJK8dZDIH7ITZ+KTWg4LBBVljyhvDXbTjqA5TlryVKbf0Tn7e+jAus 0HgZL//dtrSCo6BYvCabqIQV3SDk5Gj/SEVZdXM/OCMYh3xIYgzI9leeZ7yyJuRGeItv uqZ2OH2Ak7ZqwFpNqN5ONoythcN1yridhdCB7/Ldk5hf3kqJec6ib7Ds+8qYZHKcvisp s2xA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697816278; x=1698421078; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=yzREb6IJoVO4fDRfo3gNXKRRdkef1Uo+kiVM5/HrMW4=; b=Uq1f2pZ0y9DB3CyENeSKa76mwayOqzTxeZY7Z3g8RdWBtVC6o35JQvty6Jsixbxvu9 zgFsKQyfsNK4YLCrYxICgwVxLOlQmonRqN6Oyp4LEGQHEyscQP3QFqho56oo4YirD5eN V+bKwmD0k8M1PitGx5gTlPt+OiR0vbwHGe40opnelXyCGdH++FT7oLCmzZifPGtwsBSg edlUn3c5O61DKTu08DNhLVgDZ2oiLtm0DfsPDi4G84ZTyTJ5Vtzbxn+SzJiZx9Mm+JtB 6sRdJa+rGbjSQZxYQUPYSfqDwp83rjz4cwhEnowFQHltUObsC0uZmy+F492T8VtiMb8B Qqig== X-Gm-Message-State: AOJu0Yych1E4ISI35Ov7s0VzckN9RuG8Ls1mZIy/A9TRuIbvzRKgzRFh LPVXDnaBc/DxBgUnk/PmZ8M= X-Google-Smtp-Source: AGHT+IGXjPXsQe7kgxh8qZ3vrnybNnJa9YX13mrXaio1VT4YUYSrKFGp+5usRCf2yeX0sl29PaVdhw== X-Received: by 2002:ad4:5c4a:0:b0:66d:627e:24c0 with SMTP id a10-20020ad45c4a000000b0066d627e24c0mr2840424qva.38.1697816278592; Fri, 20 Oct 2023 08:37:58 -0700 (PDT) Received: from hurd (dsl-156-111.b2b2c.ca. [66.158.156.111]) by smtp.gmail.com with ESMTPSA id oi1-20020a05621443c100b0066d0d3daa58sm762462qvb.24.2023.10.20.08.37.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Oct 2023 08:37:58 -0700 (PDT) From: Maxim Cournoyer In-Reply-To: <87v8b1mph6.fsf@gmail.com> (Simon Tournier's message of "Fri, 20 Oct 2023 14:45:57 +0200") References: <86a6rabl7a.fsf@gmail.com> <86k0qe9g8u.fsf@gmail.com> <87pm1am3rt.fsf@gmail.com> <87v8b1mph6.fsf@gmail.com> Date: Fri, 20 Oct 2023 11:37:56 -0400 Message-ID: <877cnhi9t7.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Spam-Score: 5.78 X-Migadu-Queue-Id: 4D7DC60366 X-Migadu-Scanner: mx0.migadu.com X-Migadu-Spam-Score: 5.78 X-TUID: Fl/h8IFuHmru Hi, Simon Tournier writes: > Hi Maxim, > > On Thu, 19 Oct 2023 at 22:22, Maxim Cournoyer = wrote: > >> Thinking about this change though; why is it bad to fetch from git >> places? There may be repos out there where it's the only offered way, >> and as long as we're talking fixed output derivations, it seems moot >> whether you use HTTPS, HTTP or X to retrieve the files (unless you are >> worried about your traffic being monitored, but that's not in scope, I'd >> say). > > Why would not it be in scope? > > Being able to strongly verify (sha256) that the content you fetch is the > data you expect does not imply that the protocol for communicating > cannot be exploited for other means. > > Well, git:// protocol is not supported by well-known forges. Quoting > Pro Git book: > > The Cons > > Due to the lack of TLS or other cryptography, cloning over > git:// might lead to an arbitrary code execution vulnerability, > and should therefore be avoided unless you know what you are > doing. > > https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols > > And I do not have enough imagination to find a way to exploit the git:// > protocol. However, it appears to me a good practise to warn when this > protocol is used. Somehow, a lint message is a recommendation =E2=80=93 = a good > practise =E2=80=93 and not an absolute truth. :-) > > In short, from my point of view, the general rule reads: avoid git:// > protocol if you can. Obviously, if you cannot because it is the only > offered way by some repositories, then let make an exception; but it > does mean that=E2=80=99s a good practise. OK, fair. I remove my objection, but I dislike warnings when they cannot be acted upon (e.g. 'no coverage in software heritage' -- OK neat, but I can't do anything about it, and it may not even support that tarball ingestion yet). --=20 Thanks, Maxim