savannah-hackers-public
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers-public] git server upgraded


From: Bob Proulx
Subject: [Savannah-hackers-public] git server upgraded
Date: Fri, 20 Sep 2024 15:08:57 -0600

Savannah Hackers,

I sent this to savannah-users for user consumption and am forwarding
it to savannah-hackers-public for hacker consumption.

Bob

----- Forwarded message from Bob Proulx <bob@proulx.com> -----

From: Bob Proulx <bob@proulx.com>
To: savannah-users@gnu.org
Mail-Followup-To: savannah-users@gnu.org
Subject: git server upgraded
Date: Fri, 20 Sep 2024 14:57:56 -0600

Savannah Users,

TL;DR: git server upgraded, please report any problems

Hello Everyone!  Just a quick state of the system on the git services
side of things.  A quick back notification on the SQL database system.
A hint at continuing upgrades in the works.

After various obstacles were cleared the git service has been migrated
from the previous Trisquel 9 system to a current Trisquel 11 system.
This brings in updates to git, updates to OpenSSH used for member
access, updates to nginx used for HTTP access, and upgrades to cgit
used for web side browsing of the version history.

Among the obstacles the MariaDB API used to access the SQL database
changed program interfaces which broke building the libnss-mysql
library used to bridge those two things.  The change was minor.  The
reconnect structure member has been deprecated for a looong time and
has finally been removed entirely.  But it was working, it was
compiling, no problems were seen.  Until it was compiled on Trisquel
10 with the updated MariaDB client development there.  Yes I know that
was 10 and 11 has been out for a while.  But that's why we didn't get
this done for Trisquel 10.  Life and time is what keeps everything
from happening all at once.

It's now been updated.  We are using it for Savannah and need it.  I
have been maintaining it for Savannah's use.  I decided to make more
complete upgrades to it.  Updated the C code for that API change.  And
then spent more time updating the autotools build system used by it.
Changes to the GNU autotools required more updating than the C API
change!  And then also updated the deb packaging.  There is still more
work needed to polish up the deb packaging but it's function again and
everything is working on the current Trisquel 11.  I expect when 12
releases that we will be able to roll to it quickly.

    https://git.savannah.gnu.org/cgit/administration/libnss-mysql.git/
    https://download.savannah.gnu.org/releases/administration/libnss-mysql/

Another much more minor obstacle was that git version 2.35.2
introduced a security check for CVE-2022-24765 with this commit
of interest to us.

    https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9

My paraphrased summary is that a social engineering attack was
possible mostly in an education environment where a combination of a
git enabled PS1 prompt along with a malicious person crafting a .git
directory above the work area of others can execute code as that other
user leading to a compromise of their account.  The git upstream fix
to this problem now checks that the git repository directory owner is
the same user as the current user or it exits with a fatal error.

Immediately you can see that in a multi-member project such as those
hosted on Savannah only one user can own the repository and all of the
other committing members are left out unable to also own it.  Git will
immediately exit with the fatal error.  It's changes such as this
which make DevOps "interesting" in the curse sense of the word.
Fortunately we normally create upgraded systems over in a development
area first, find these types of problems there, mitigate them, and
then roll services onto the production system after having already
mitigated the problem.

In this case git now requires a never before needed /etc/gitconfig
file instructing git to ignore this check for our Savannah
repositories.  We don't have the same environment the check is
designed to protect people from that type of an attack and must
disable it in order to host multi-member projects.

I mentioned the SQL server was previously upgraded.  That was less
exciting.  Which is good!  Not Internet facing.  No one would notice
the difference.  The MariaDB SQL database server was previously
upgraded from Trisquel 9 to the current Trisquel 11 as well.  At that
opportunistic time the database engines were upgraded from the many
that were MyIASM to InnoDB.  I might describe InnoDB as the new engine
but it's been the default since 2010.  But Savannah's database has
been around since 2000 and predates this.  InnoDB is ACID compliant
(what you want in a database) and enables future improvements such as
replication.  The charsets were also upgraded uniformly at the same
time to utf8mb4 from their eclectic collection of latin1 and utf8.
This should avoid some of the strange multi-byte character issues.

There is a known problem with cgit's index page.  No one has been able
to determine why but the problem has been reported (THANK YOU for the
problem reports!) and reproduced very often now.  The index page has
garbled project links.  We know about it.  We have tried to debug it.
So far no joy at determining the problem.  The problem appears and
then disappears.  And to both servers at the same time.

    https://git.savannah.gnu.org/cgit/  (link mangling bug)

With the new server upgrade almost ready I decided to push the server
upgrade through before working on the cgit index page debugging.  Now
that the new system is online I will be focusing effort on debugging
and fixing the cgit index page problem.

The Subversion server is next on my task queue for upgrade.
Subversion as with the other version control systems all share the
same MariaDB SQL user account database and therefore did share in that
system upgrade.  Subversion is not forgotten.  Subversion has been
working away trouble free and I hate to mess with trouble-free working
systems!  It's been rock solid reliable.  But it's time to upgrade its
server too.  That will again upgrade member ssh access.  It will
upgrade anonymous read-only checkout via Apache's WebDAV interface.
That's in the task queue and will be happening not far off now.

I haven't yet mentioned hg and bzr yet.  Not forgotten.  But later
down in the task queue.

This has been a quick state of the Savannah vcs system update!
Bob


----- End forwarded message -----



reply via email to

[Prev in Thread] Current Thread [Next in Thread]