From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id wJ5EIGmcMmUBJQAAauVa8A:P1 (envelope-from ) for ; Fri, 20 Oct 2023 17:27:37 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id wJ5EIGmcMmUBJQAAauVa8A (envelope-from ) for ; Fri, 20 Oct 2023 17:27:37 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6F04751954 for ; Fri, 20 Oct 2023 17:27:37 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=etOk2riQ; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1697815657; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=ninTY+nhRtnptVEcxhdfxVNJ5uPn1aDBUnCoyyZNZ50=; b=ZUBPTlQ0vgLjb7blTK+/ZR/ufEWspy6sZj3CLdOTLL6U6JJ6eRJkXoLe2eKy0fchK5IlTi qba7CoNnNvqv18ZU9fOlnGstl3F7kjAue9Mw25bNNPPPbvSoEvfRR/43hjrDrzIcD60QJn pRmhwcY5eNwuQhKWUY5t+253ndB+ylnIvlFVgCRUb8Dq7AkH8w8983g11AhbRUH0HwSqiq OPBwBNFxwMjnbj2QFs9zDBeQ6dkl0Zga/8MKL8qF0VmLQLIK3uoyEiuGrEnhDbb6LH9vwb Zat2eHanbyfHOqSzQaFzDeX3iRxsloJVBJEobTRUFTpUzBh8P9wUFpiJ5F4r4g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=etOk2riQ; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1697815657; a=rsa-sha256; cv=none; b=sFeKjO9KdMfNG6kJzmdNblSKMEyHNf9Wmj2p7RVYLRAPFeJWLtPSK9F6yxoV70Bv7TpXPm IB3i6UZrjLTEpdqz2y1KVesg9jGk5Do43vMKn1RbEkTVBkbeQGT/ltuEoO7NnBexq6YwL9 7MquOdkWNdMptF7iU55t5Q5BXXiHyygeOjYwXbZ/o6Ki3+LmtlxgO6p/bC8mNIOEGRV6M+ L+BLlTPf66jqhiNijdIvd6zrBLp5rwAMwMK8xAGF0Y79k37G+nx47vaEoCwlIBHco6b1ly o/VRq4inonzHL5yHphQfQftR+CGJYGtN9xa18ItJ5baaVoJq9UxzcRLntTCcJA== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qtrOc-0003ws-T6; Fri, 20 Oct 2023 11:26:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qtrOZ-0003e1-4T for guix-patches@gnu.org; Fri, 20 Oct 2023 11:26:39 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qtrOV-0006qZ-LE for guix-patches@gnu.org; Fri, 20 Oct 2023 11:26:35 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qtrOw-0000Qs-Ry for guix-patches@gnu.org; Fri, 20 Oct 2023 11:27:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#46182] [PATCH] lint: Add 'check-git-protocol' checker. Resent-From: Simon Tournier Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 20 Oct 2023 15:27:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46182 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Maxim Cournoyer Cc: 46182@debbugs.gnu.org, Leo Famulari Received: via spool by 46182-submit@debbugs.gnu.org id=B46182.16978155791575 (code B ref 46182); Fri, 20 Oct 2023 15:27:02 +0000 Received: (at 46182) by debbugs.gnu.org; 20 Oct 2023 15:26:19 +0000 Received: from localhost ([127.0.0.1]:41201 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qtrOE-0000PC-72 for submit@debbugs.gnu.org; Fri, 20 Oct 2023 11:26:19 -0400 Received: from mail-wr1-x42f.google.com ([2a00:1450:4864:20::42f]:38051) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qtrOB-0000Ou-BU for 46182@debbugs.gnu.org; Fri, 20 Oct 2023 11:26:17 -0400 Received: by mail-wr1-x42f.google.com with SMTP id ffacd0b85a97d-32da42b8225so154505f8f.0 for <46182@debbugs.gnu.org>; Fri, 20 Oct 2023 08:25:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697815542; x=1698420342; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ninTY+nhRtnptVEcxhdfxVNJ5uPn1aDBUnCoyyZNZ50=; b=etOk2riQwMcqn4QUCg+R4B5pjfQWt4BuMcSgMPW3SIqaqFtbtL+nvcaNU6ouAucCyj JqpfUsGJBtCNdhBGCOwgn0FVp0QePzDhatmzl0sZxIoAcJhMG9VLo7GRDLWrZZVOcDgm optA1u343zA0ZUAJQBd5eyQVMdwVKwGSDkEN/r77190ukuzPf1zQJU2uYahf2BS1mEKJ W0lSrXGraf65h2c9bSiM/RB0pccebGeOTXR632Yjw9OE0P+oaDvInCkDhP74uB90QZMd 2nX/uzC2F6IJNGl9vjSNvPNtIht1ys4fTp5UWtyrOf21s1tQyiYfXUCfhCGbKpu8lyyI 7nxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697815542; x=1698420342; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ninTY+nhRtnptVEcxhdfxVNJ5uPn1aDBUnCoyyZNZ50=; b=b+Uy7UYS0vGL905qkat2Tq/lTZJ1NNQYehD5kibr5VW6dcRrWXeRhfclBTU9+egsu7 Jxc3nQbHJAwxB4fc7pTfJT2XV7horq+2CTxXkwVjrPl8YkArQHENc1PZGT4wDs/74jyF 1pabNoVLk5eQktnV4hFeKyE4li8lX/hz5kEa9C704aFMRadzhlVVco7Tg6dhSUtHRPuY V/eq3PNM+oXIokuO3hv1vmLUPkvZiblreChOPQLH6OI9mYmxNkCjSWzpm4B3Ud6q8ltj yiDN4/C9uxfsLepoPQwAYPCH9Vvi51OD2nU5aSnL6NzemLSsaDMwusrICbZGCw6EpZV9 eucg== X-Gm-Message-State: AOJu0Yz+j8w/uaPN4N4N7BFRyYczmlqZ8lVjBMI5ncmKSMJ95e95KbYx 7MwQnvAuXcM756r/sCL97Ig= X-Google-Smtp-Source: AGHT+IEnlED73V8GAPiijEynE1bsfRKGMAy3QSqmfxwH46WVi8QXCGisNb+zzuPAaHfeoAAsyapXQg== X-Received: by 2002:adf:a48f:0:b0:32d:d9a8:53df with SMTP id g15-20020adfa48f000000b0032dd9a853dfmr1574182wrb.3.1697815541810; Fri, 20 Oct 2023 08:25:41 -0700 (PDT) Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id f6-20020a5d50c6000000b003258934a4bcsm1905067wrt.42.2023.10.20.08.25.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Oct 2023 08:25:41 -0700 (PDT) From: Simon Tournier In-Reply-To: <87pm1am3rt.fsf@gmail.com> References: <86a6rabl7a.fsf@gmail.com> <86k0qe9g8u.fsf@gmail.com> <87pm1am3rt.fsf@gmail.com> Date: Fri, 20 Oct 2023 14:45:57 +0200 Message-ID: <87v8b1mph6.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: 5.88 X-Spam-Score: 5.88 X-Migadu-Queue-Id: 6F04751954 X-Migadu-Scanner: mx2.migadu.com X-TUID: yF4qL+F8fPuo Hi Maxim, On Thu, 19 Oct 2023 at 22:22, Maxim Cournoyer w= rote: > Thinking about this change though; why is it bad to fetch from git > places? There may be repos out there where it's the only offered way, > and as long as we're talking fixed output derivations, it seems moot > whether you use HTTPS, HTTP or X to retrieve the files (unless you are > worried about your traffic being monitored, but that's not in scope, I'd > say). Why would not it be in scope? Being able to strongly verify (sha256) that the content you fetch is the data you expect does not imply that the protocol for communicating cannot be exploited for other means. Well, git:// protocol is not supported by well-known forges. Quoting Pro Git book: The Cons Due to the lack of TLS or other cryptography, cloning over git:// might lead to an arbitrary code execution vulnerability, and should therefore be avoided unless you know what you are doing. https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols And I do not have enough imagination to find a way to exploit the git:// protocol. However, it appears to me a good practise to warn when this protocol is used. Somehow, a lint message is a recommendation =E2=80=93 a = good practise =E2=80=93 and not an absolute truth. :-) In short, from my point of view, the general rule reads: avoid git:// protocol if you can. Obviously, if you cannot because it is the only offered way by some repositories, then let make an exception; but it does mean that=E2=80=99s a good practise. Cheers, simon