https access to git repo?

public inbox for cygwin-developers@cygwin.com
 help / color / mirror / Atom feed

* https access to git repo?
@ 2018-11-02 13:20 Eric Blake
  2018-11-02 14:32 ` cyg Simple
  0 siblings, 1 reply; 3+ messages in thread
From: Eric Blake @ 2018-11-02 13:20 UTC (permalink / raw)
  To: cygwin-developers

https://cygwin.com/git.html recommends the use of git:// for accessing 
the cygwin git repo.  However, git:// suffers from man-in-the-middle 
attacks, in comparison to https://.  On the other hand, performance of 
https:// is much worse than git:// UNLESS the git server is running a 
new enough version of git, such that it advertises 
application/x-git-upload-pack-advertisement support.

Alas, the current sourceware server is running an old version of git:

$ wget -S 
'http://sourceware.org/git/newlib-cygwin.git/info/refs?service=git-upload-pack' 
2>&1 | grep Content-Type
   Content-Type: text/plain; charset=UTF-8

Contrast that with other git repos:

$ wget -S 
'https://repo.or.cz/qemu.git/info/refs?service=git-upload-pack' 2>&1 | 
grep Content-Type
   Content-Type: application/x-git-upload-pack-advertisement

Is there a chance we can get sourceware to upgrade to a newer git 
server, and then update our recommendations to point people to https:// 
clones instead of insecure git://, and without the current speed penalty 
that current https:// access through our non-upgraded server provides?

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: https access to git repo?
  2018-11-02 13:20 https access to git repo? Eric Blake
@ 2018-11-02 14:32 ` cyg Simple
  2018-11-05  8:52   ` Corinna Vinschen
  0 siblings, 1 reply; 3+ messages in thread
From: cyg Simple @ 2018-11-02 14:32 UTC (permalink / raw)
  To: cygwin-developers

On 11/2/2018 9:20 AM, Eric Blake wrote:
> https://cygwin.com/git.html recommends the use of git:// for accessing
> the cygwin git repo.Â  However, git:// suffers from man-in-the-middle
> attacks, in comparison to https://.Â  On the other hand, performance of
> https:// is much worse than git:// UNLESS the git server is running a
> new enough version of git, such that it advertises
> application/x-git-upload-pack-advertisement support.
> 
> Alas, the current sourceware server is running an old version of git:
> 
> $ wget -S
> 'http://sourceware.org/git/newlib-cygwin.git/info/refs?service=git-upload-pack'
> 2>&1 | grep Content-Type
> Â  Content-Type: text/plain; charset=UTF-8
> 
> Contrast that with other git repos:
> 
> $ wget -S
> 'https://repo.or.cz/qemu.git/info/refs?service=git-upload-pack' 2>&1 |
> grep Content-Type
> Â  Content-Type: application/x-git-upload-pack-advertisement
> 
> Is there a chance we can get sourceware to upgrade to a newer git
> server, and then update our recommendations to point people to https://
> clones instead of insecure git://, and without the current speed penalty
> that current https:// access through our non-upgraded server provides?

You'll need to ask overseerers@sourceware.org.  They may have it on
there radar already but it doesn't hurt to ask.

-- 
cyg Simple

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: https access to git repo?
  2018-11-02 14:32 ` cyg Simple
@ 2018-11-05  8:52   ` Corinna Vinschen
  0 siblings, 0 replies; 3+ messages in thread
From: Corinna Vinschen @ 2018-11-05  8:52 UTC (permalink / raw)
  To: cygwin-developers

[-- Attachment #1: Type: text/plain, Size: 1479 bytes --]

On Nov  2 10:32, cyg Simple wrote:
> On 11/2/2018 9:20 AM, Eric Blake wrote:
> > https://cygwin.com/git.html recommends the use of git:// for accessing
> > the cygwin git repo.  However, git:// suffers from man-in-the-middle
> > attacks, in comparison to https://.  On the other hand, performance of
> > https:// is much worse than git:// UNLESS the git server is running a
> > new enough version of git, such that it advertises
> > application/x-git-upload-pack-advertisement support.
> > 
> > Alas, the current sourceware server is running an old version of git:
> > 
> > $ wget -S
> > 'http://sourceware.org/git/newlib-cygwin.git/info/refs?service=git-upload-pack'
> > 2>&1 | grep Content-Type
> >   Content-Type: text/plain; charset=UTF-8
> > 
> > Contrast that with other git repos:
> > 
> > $ wget -S
> > 'https://repo.or.cz/qemu.git/info/refs?service=git-upload-pack' 2>&1 |
> > grep Content-Type
> >   Content-Type: application/x-git-upload-pack-advertisement
> > 
> > Is there a chance we can get sourceware to upgrade to a newer git
> > server, and then update our recommendations to point people to https://
> > clones instead of insecure git://, and without the current speed penalty
> > that current https:// access through our non-upgraded server provides?
> 
> You'll need to ask overseerers@sourceware.org.  They may have it on
> there radar already but it doesn't hurt to ask.

ACK

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-11-05  8:52 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-02 13:20 https access to git repo? Eric Blake
2018-11-02 14:32 ` cyg Simple
2018-11-05  8:52   ` Corinna Vinschen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).