unofficial mirror of notmuch@notmuchmail.org
 help / color / mirror / code / Atom feed
* Fetching from the git repositories over https?
@ 2018-01-28 17:26 Adam Plaice
  2018-02-04  3:10 ` Daniel Kahn Gillmor
  2018-02-10  3:11 ` Carl Worth
  0 siblings, 2 replies; 7+ messages in thread
From: Adam Plaice @ 2018-01-28 17:26 UTC (permalink / raw)
  To: notmuch

I apologise if I'm asking in the wrong place.

Is it possible to clone/fetch from the notmuch git repositories
(particularly https://git.notmuchmail.org/git/notmuch) over https
rather than with the `git://' protocol?  (None of the likely
alternatives seem to work.)

If not, would it be inconvenient for this to be enabled, as an
option (if not the recommended one)?

Having such an option would be valuable for the purposes of MELPA and
MELPA stable (the Emacs package archives which provide an alternative,
slightly controversial, way of installing the Notmuch Emacs
interface).  Since the scripts that build the package archives fetch
from upstream sources (such as git://git.notmuchmail.org/git/notmuch)
automatically (without human oversight or code inspection) and the
`git://' protocol does not provide any authentication, there is
currently no guarantee that when the MELPA server tries to connect to
notmuchmail.org it's not actually being "Man-in-the-middled" by a
malicious third party.  As a result, it would be possible for such a
third party to introduce some changes to the Elisp code, that would
compromise the machines of any users who install the modified package.

Using https would raise the bar, from anybody who can hijack the
connection between MELPA and notmuchmail.org, to those who can compromise
the SSL certificate chain.

Thank you for your time and thank you for notmuch,
Adam

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Fetching from the git repositories over https?
  2018-01-28 17:26 Fetching from the git repositories over https? Adam Plaice
@ 2018-02-04  3:10 ` Daniel Kahn Gillmor
  2018-02-09  6:28   ` Adam Plaice
  2018-02-10  3:11 ` Carl Worth
  1 sibling, 1 reply; 7+ messages in thread
From: Daniel Kahn Gillmor @ 2018-02-04  3:10 UTC (permalink / raw)
  To: Adam Plaice, notmuch

[-- Attachment #1: Type: text/plain, Size: 1421 bytes --]

Hi Adam--

On Sun 2018-01-28 17:26:08 +0000, Adam Plaice wrote:
> I apologise if I'm asking in the wrong place.
>
> Is it possible to clone/fetch from the notmuch git repositories
> (particularly https://git.notmuchmail.org/git/notmuch) over https
> rather than with the `git://' protocol?  (None of the likely
> alternatives seem to work.)

It's currently not possible to do that, but some maintenance work is
underway that might allow us to support it in the future.

I agree with you that https:// is probably a better transport than
git:// in 2018, regardless of what MELPA thinks :)

> Using https would raise the bar, from anybody who can hijack the
> connection between MELPA and notmuchmail.org, to those who can compromise
> the SSL certificate chain.

Whether we use https or not, MELPA should be relying on signed git tags
from known release managers of the upstream projects.

For notmuch, that would be David Bremner, openpgp key fingerprint
815B63982A79F8E7C72786C4762B57BB784206AD

If MELPA is relying only on HTTPS for source integrity, it's vulnerable
to any breakage in the HTTPS security model -- from malicious CAs to
cryptographic attacks against the TLS layer itself.

I agree with you that https:// is preferable to git://, but please
encourage MELPA to take the next step and properly verify the retrieved
source directly via OpenPGP.

Regards,

        --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Fetching from the git repositories over https?
  2018-02-04  3:10 ` Daniel Kahn Gillmor
@ 2018-02-09  6:28   ` Adam Plaice
  2018-02-09 17:42     ` Daniel Kahn Gillmor
  0 siblings, 1 reply; 7+ messages in thread
From: Adam Plaice @ 2018-02-09  6:28 UTC (permalink / raw)
  To: Daniel Kahn Gillmor; +Cc: notmuch

Hi Daniel,

Thanks very much for the reply.  I fully agree that the verifying of
git tags by MELPA would be valuable (and rather important from a
security perspective), and will bring it up.

BTW, is the GitHub mirror https://github.com/notmuch/notmuch/
mentioned in README.rst, semi-official in the sense of being likely to
be up to date?  If, yes, it could be used as a stopgap intermediary
"source" for MELPA, until https transport is possible with the main
notmuch repository or MELPA supports verifying signed git tags.

Thanks again,
Adam

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Fetching from the git repositories over https?
  2018-02-09  6:28   ` Adam Plaice
@ 2018-02-09 17:42     ` Daniel Kahn Gillmor
  2018-02-10  4:34       ` Adam Plaice
  0 siblings, 1 reply; 7+ messages in thread
From: Daniel Kahn Gillmor @ 2018-02-09 17:42 UTC (permalink / raw)
  To: Adam Plaice; +Cc: notmuch, Carl Worth

[-- Attachment #1: Type: text/plain, Size: 1350 bytes --]

On Fri 2018-02-09 06:28:04 +0000, Adam Plaice wrote:
> Thanks very much for the reply.  I fully agree that the verifying of
> git tags by MELPA would be valuable (and rather important from a
> security perspective), and will bring it up.

Thanks for doing that!  If you need any backup in the discussion, or if
you think that your suggestion is not being taken as seriously as is
warranted, i'd be happy to try to help explain the issues to the MELPA
folks -- contact me directly offlist if you want to coordinate on this.

> BTW, is the GitHub mirror https://github.com/notmuch/notmuch/
> mentioned in README.rst, semi-official in the sense of being likely to
> be up to date?  If, yes, it could be used as a stopgap intermediary
> "source" for MELPA, until https transport is possible with the main
> notmuch repository or MELPA supports verifying signed git tags.

I think if you use the github mirror, you might just be pushing off
cleartext fetching to someone else, since that mirror appears to be
synced over http itself :/  I don't actually know who maintains that
mirror, and i don't know how to update where it syncs from...

However, Carl Worth (in Cc) just mentioned on IRC that he set up https
for the official notmuch repo!  So please use this URL:

   https://git.notmuchmail.org/git/notmuch

Thanks Carl! :)

All the best,

    --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Fetching from the git repositories over https?
  2018-01-28 17:26 Fetching from the git repositories over https? Adam Plaice
  2018-02-04  3:10 ` Daniel Kahn Gillmor
@ 2018-02-10  3:11 ` Carl Worth
  2018-02-10  4:37   ` Adam Plaice
  1 sibling, 1 reply; 7+ messages in thread
From: Carl Worth @ 2018-02-10  3:11 UTC (permalink / raw)
  To: Adam Plaice, notmuch

On Sun, Jan 28 2018, Adam Plaice wrote:
> I apologise if I'm asking in the wrong place.

Not at all. This is the right place.

> Is it possible to clone/fetch from the notmuch git repositories
> (particularly https://git.notmuchmail.org/git/notmuch) over https
> rather than with the `git://' protocol?  (None of the likely
> alternatives seem to work.)

It wasn't possible when you asked, but I just configured this, and it
seems to work.

Specifically, I have tested that I can point my browser at:

        https://git.notmuchmail.org/git/notmuch

to see the gitweb view of the git history on the web, and I can also use
that same URL for a git clone:

        git clone https://git.notmuchmail.org/git/notmuch

and that works.

I also verified that I a "git push" from such a clone results in a 403
error as desired.

So give that a try, and anyone, let me know if you see anything that I
may have broken or setup incorrectly.

Also, I haven't yet updated any documentation to point to this new
mechanism, so that's something that could still be done.

> Thank you for your time and thank you for notmuch,

You're quite welcome. And thank you for your contribution!

-Carl

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Fetching from the git repositories over https?
  2018-02-09 17:42     ` Daniel Kahn Gillmor
@ 2018-02-10  4:34       ` Adam Plaice
  0 siblings, 0 replies; 7+ messages in thread
From: Adam Plaice @ 2018-02-10  4:34 UTC (permalink / raw)
  To: Daniel Kahn Gillmor; +Cc: notmuch, Carl Worth

> Thanks for doing that!  If you need any backup in the discussion, or if
> you think that your suggestion is not being taken as seriously as is
> warranted, i'd be happy to try to help explain the issues to the MELPA
> folks -- contact me directly offlist if you want to coordinate on this.

Thanks for the offer!  FWIW, I've opened an issue here:

https://github.com/melpa/melpa/issues/5294

> I think if you use the github mirror, you might just be pushing off
> cleartext fetching to someone else, since that mirror appears to be
> synced over http itself :/  I don't actually know who maintains that
> mirror, and i don't know how to update where it syncs from...

I had been hoping that the mirror was updated by a notmuch contributor
who had access to the main repository and could fetch the code over ssh,
though in any case this is now irrelevant.

> However, Carl Worth (in Cc) just mentioned on IRC that he set up https
> for the official notmuch repo!  So please use this URL:

>    https://git.notmuchmail.org/git/notmuch

> Thanks Carl! :)

That's brilliant. Thanks very much (and thanks Carl)!

Adam

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Fetching from the git repositories over https?
  2018-02-10  3:11 ` Carl Worth
@ 2018-02-10  4:37   ` Adam Plaice
  0 siblings, 0 replies; 7+ messages in thread
From: Adam Plaice @ 2018-02-10  4:37 UTC (permalink / raw)
  To: Carl Worth; +Cc: notmuch

Thanks again very much for implementing this!

I've encountered no issues when cloning.

> Also, I haven't yet updated any documentation to point to this new
> mechanism, so that's something that could still be done.

Taken as a suggestion and done:
https://git.notmuchmail.org/git?p=notmuch-wiki;a=commitdiff;h=6b421471aaad8160981561c705dae1cbaa17702c;hp=591299b2f4b15f6ef7e8c308ead9c3a30b7c7563

I've left the instructions for the wiki, at
https://notmuchmail.org/wikiwriteaccess/
unchanged, as I'm not sure whether the push mechanism would work with the
https transport and don't want to experiment.  Also, MITM attacks aren't much
of a worry in this case...

Thank you for a very welcoming attitude,
Adam

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2018-02-10  4:37 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-01-28 17:26 Fetching from the git repositories over https? Adam Plaice
2018-02-04  3:10 ` Daniel Kahn Gillmor
2018-02-09  6:28   ` Adam Plaice
2018-02-09 17:42     ` Daniel Kahn Gillmor
2018-02-10  4:34       ` Adam Plaice
2018-02-10  3:11 ` Carl Worth
2018-02-10  4:37   ` Adam Plaice

Code repositories for project(s) associated with this public inbox

	https://yhetil.org/notmuch.git/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).