-
-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: treat github sources as case insensitive #471
Conversation
And I noticed the PR after mi comment in the issue Would it be enough to normalize when If so, we should not transform user/password to avoid breakinig |
Could you add some tests |
@bcardiff added code to deal with generic |
Co-authored-by: Johannes Müller <straightshoota@gmail.com>
Just my two cents, but maybe it would have been better to fix this issue just for github. The original PR was a one line change. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe the changes here should be scoped only to the 3 resolvers: github
, gitlab
and bitbucket
. All of the logic for git
resolver is a "magic" in charge of fixing user mistakes - which IMO shouldn't be the case at all - user is free to choose the resolver, and with git
it will simply have to be correct, as that's the nature of generic git
- or for that matter http
- paths.
@Sija we're only normalising github, bitbucket and gitlab paths, these services and their behaviour are well known and the path is being normalised to the one they recommend when you click the clone button on their webpage. Not only will this improve performance, as a HTTP to HTTPS redirect will occur if you are cloning from the service |
|
I personally think it's fine as we're only fixing up well known services. |
@stakach I'm also confused about the SolarWinds remarks - what does that have to do with any of this? |
https://www.zdnet.com/article/third-malware-strain-discovered-in-solarwinds-supply-chain-attack/ For example, lets say you have a popular app that might be a target of hackers
was using the solarwinds example as a reference to show that this kind of attack does happen, getting around code signing |
How would you do it, if the copy-pasta from every website you mentioned uses
What's the difference here between |
I think treating shardbox.org normalizes resolvers that way, too: https://github.com/shardbox/shardbox-core/blob/19fb582433bbd914ba31295c76cf411d322c2a71/src/repo/ref.cr#L22 (there's no downcasing the path, but it still works because the DB field is case-insensitive; should probably normalize that explicitly, though). To address security concerns with unencrypted connections, we could consider to make |
Co-authored-by: Johannes Müller <straightshoota@gmail.com>
Let's Encrypt will only generate a certificate for a domain if you can prove you control it, they just make the proving process super simple. |
I think I would leave out I guess that using github: or git: with http[s] is the most common thing. @straight-shoota can you confirm from shardbox that? If we leave out the Other than that the PR looks good to me. I think it's fine to rewrite http to https for these known hosts. @stakach don't you have private shards that would be affected by this change for example? cc: @bararchy |
@bcardiff the The accepted answer in that stackoverflow post mentions:
to use ssh with authentication you need to specify the URL in the form of: |
Yes. All dependencies known to shardbox with |
fixes #470 #275