Re: [Savannah-hackers-public] git server upgraded

[Simon Josefsson]

Thanks for the upgrade!  If anyone except me was greeted by the
following strange error after the upgrade:

jas@kaka:~/src/gnulib$ git pull
sign_and_send_pubkey: signing failed for ED25519 "cardno:FFFE42315277" from 
agent: agent refused operation
jas@git.sv.gnu.org's password:

The reason is that you are running a too old GnuPG version.  Alas
Trisquel 11 (and therefor Ubuntu 22.04) is shipping this old version, so
many may be affected.  See bug report here: https://dev.gnupg.org/T5931

One way to work around this is to insert this into your ~/.ssh/config:

Host git.sv.gnu.org
# https://dev.gnupg.org/T5931
#       KexAlgorithms -sntrup761x25519-sha512@openssh.com
        PubkeyAuthentication=unbound

As you can see another workaround is to disable sntrup761x2559, but it
is a security tradeoff which option to disable.

Of course, upgrading GnuPG is better, but for those of us to chose to
stay on Trisquel 11 the above may be a simpler way forward.

/Simon

Bob Proulx <bob@proulx.com> writes:

> Savannah Hackers,
>
> I sent this to savannah-users for user consumption and am forwarding
> it to savannah-hackers-public for hacker consumption.
>
> Bob
>
> From: Bob Proulx <bob@proulx.com>
> Subject: git server upgraded
> To: savannah-users@gnu.org
> Date: Fri, 20 Sep 2024 14:57:56 -0600 (10 hours, 13 minutes, 47 seconds ago)
> Mail-Followup-To: savannah-users@gnu.org
>
> Savannah Users,
>
> TL;DR: git server upgraded, please report any problems
>
> Hello Everyone!  Just a quick state of the system on the git services
> side of things.  A quick back notification on the SQL database system.
> A hint at continuing upgrades in the works.
>
> After various obstacles were cleared the git service has been migrated
> from the previous Trisquel 9 system to a current Trisquel 11 system.
> This brings in updates to git, updates to OpenSSH used for member
> access, updates to nginx used for HTTP access, and upgrades to cgit
> used for web side browsing of the version history.
>
> Among the obstacles the MariaDB API used to access the SQL database
> changed program interfaces which broke building the libnss-mysql
> library used to bridge those two things.  The change was minor.  The
> reconnect structure member has been deprecated for a looong time and
> has finally been removed entirely.  But it was working, it was
> compiling, no problems were seen.  Until it was compiled on Trisquel
> 10 with the updated MariaDB client development there.  Yes I know that
> was 10 and 11 has been out for a while.  But that's why we didn't get
> this done for Trisquel 10.  Life and time is what keeps everything
> from happening all at once.
>
> It's now been updated.  We are using it for Savannah and need it.  I
> have been maintaining it for Savannah's use.  I decided to make more
> complete upgrades to it.  Updated the C code for that API change.  And
> then spent more time updating the autotools build system used by it.
> Changes to the GNU autotools required more updating than the C API
> change!  And then also updated the deb packaging.  There is still more
> work needed to polish up the deb packaging but it's function again and
> everything is working on the current Trisquel 11.  I expect when 12
> releases that we will be able to roll to it quickly.
>
>     https://git.savannah.gnu.org/cgit/administration/libnss-mysql.git/
>     https://download.savannah.gnu.org/releases/administration/libnss-mysql/
>
> Another much more minor obstacle was that git version 2.35.2
> introduced a security check for CVE-2022-24765 with this commit
> of interest to us.
>
>     https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9
>
> My paraphrased summary is that a social engineering attack was
> possible mostly in an education environment where a combination of a
> git enabled PS1 prompt along with a malicious person crafting a .git
> directory above the work area of others can execute code as that other
> user leading to a compromise of their account.  The git upstream fix
> to this problem now checks that the git repository directory owner is
> the same user as the current user or it exits with a fatal error.
>
> Immediately you can see that in a multi-member project such as those
> hosted on Savannah only one user can own the repository and all of the
> other committing members are left out unable to also own it.  Git will
> immediately exit with the fatal error.  It's changes such as this
> which make DevOps "interesting" in the curse sense of the word.
> Fortunately we normally create upgraded systems over in a development
> area first, find these types of problems there, mitigate them, and
> then roll services onto the production system after having already
> mitigated the problem.
>
> In this case git now requires a never before needed /etc/gitconfig
> file instructing git to ignore this check for our Savannah
> repositories.  We don't have the same environment the check is
> designed to protect people from that type of an attack and must
> disable it in order to host multi-member projects.
>
> I mentioned the SQL server was previously upgraded.  That was less
> exciting.  Which is good!  Not Internet facing.  No one would notice
> the difference.  The MariaDB SQL database server was previously
> upgraded from Trisquel 9 to the current Trisquel 11 as well.  At that
> opportunistic time the database engines were upgraded from the many
> that were MyIASM to InnoDB.  I might describe InnoDB as the new engine
> but it's been the default since 2010.  But Savannah's database has
> been around since 2000 and predates this.  InnoDB is ACID compliant
> (what you want in a database) and enables future improvements such as
> replication.  The charsets were also upgraded uniformly at the same
> time to utf8mb4 from their eclectic collection of latin1 and utf8.
> This should avoid some of the strange multi-byte character issues.
>
> There is a known problem with cgit's index page.  No one has been able
> to determine why but the problem has been reported (THANK YOU for the
> problem reports!) and reproduced very often now.  The index page has
> garbled project links.  We know about it.  We have tried to debug it.
> So far no joy at determining the problem.  The problem appears and
> then disappears.  And to both servers at the same time.
>
>     https://git.savannah.gnu.org/cgit/  (link mangling bug)
>
> With the new server upgrade almost ready I decided to push the server
> upgrade through before working on the cgit index page debugging.  Now
> that the new system is online I will be focusing effort on debugging
> and fixing the cgit index page problem.
>
> The Subversion server is next on my task queue for upgrade.
> Subversion as with the other version control systems all share the
> same MariaDB SQL user account database and therefore did share in that
> system upgrade.  Subversion is not forgotten.  Subversion has been
> working away trouble free and I hate to mess with trouble-free working
> systems!  It's been rock solid reliable.  But it's time to upgrade its
> server too.  That will again upgrade member ssh access.  It will
> upgrade anonymous read-only checkout via Apache's WebDAV interface.
> That's in the task queue and will be happening not far off now.
>
> I haven't yet mentioned hg and bzr yet.  Not forgotten.  But later
> down in the task queue.
>
> This has been a quick state of the Savannah vcs system update!
> Bob
>
>
> ----------
>

signature.asc
Description: PGP signature