[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] git over https

From: Bob Proulx
Subject: Re: [Savannah-hackers-public] git over https
Date: Tue, 7 Feb 2017 15:18:32 -0700
User-agent: NeoMutt/20170113 (1.7.2)

Leo Famulari wrote:
> The advantage of HTTPS compared to SSH is that it can be used
> anonymously, without setting up a Savannah account. Currently, users who
> wish to fetch source code from Savannah using an authenticated protocol
> must create a Savannah account. This is inconvenient for casual users.

I am sympathetic.  And as you know we are heading toward https
everywhere that https can be used.  However you would not believe how
many things need significant effort in order to get there.  Because
over the decades the collection of services that is Savannah has
acquired quite a few features and warts.  Just git itself has moved
back and forth a half dozen times and been reverted due to showstopper
problems due to previously unknown conflicts.  It seemed a lot simpler
to me too before I became sucked into the machinery. :-)

> I bet that most of them use the unauthenticated HTTP or Git protocols
> and are vulnerable to man-in-the-middle attacks and eavesdropping.

Certainly it is vulnerable to easedropping.  And to some extent https
metadata is also vulnerable too.  And since all of the hosted projects
that might be downloaded is available to anyone I think that even with
https it is possible for a well funded attacker with access to the
metadata to know what someone has downloaded.  But with git using SHA1
hashes for everything I think it would be quite the challenge to
produce a viable modification attack.  (However I acknowledge that
some of the proof of concept attacks for other attacks that I have
looked at have quite surprised me by the cleverness used and that they
did work.)

> For this reason, I would not call HTTPS a fallback method, but
> rather in the same class as SSH.

I disagree.  I don't think https is in the same league here.  But that
doesn't mean I am trying to stop https.  Far from it.  I have put in a
lot of time trying to get everything moving forward.  It is available

> >   git clone
> >     Cloning into 'emacs'...
> >     ... takes about twenty minutes with no output on my network ...
> I think this is a regression from the old Savannah server. The old
> server appears to use the so-called "smart HTTP" Git protocol [0], which
> provides informative output while it is working. On the other hand, the
> "dumb HTTP" Git protocol [1] does not provide any output.

Drat!  This does appear to be a regression.

In your opinion is that enough of a regression to warrent reverting
(once again) the git service back to the old server?  Of course that
means another IP address change thrash for people who have ssh
configured to watch such things.  And more delay in getting things
moved.  Sigh.

> It takes me ~40 seconds to clone the Guix Git repository from
> <>. To me, that's pretty fast
> for an 83 MB download. And it's the same speed as cloning over SSH from
> the old server.

Of course I chose Emacs because it has a large repository of about
275M and my network is probably slower. :-)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]