Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem: Some ebuilds were using the insecure git:// url scheme #84

Merged
merged 1 commit into from Feb 17, 2015
Merged

Problem: Some ebuilds were using the insecure git:// url scheme #84

merged 1 commit into from Feb 17, 2015

Conversation

vladimir-lu
Copy link

Using https is an improvement to building because at least you can verify that no-one is modifying your git repository in-flight.

This is part of https://github.com/Heather/gentoo-rust/issues/83

@jauhien
Copy link
Contributor

jauhien commented Feb 16, 2015

A good point, thanks. That's interesting, why do we have live ebuilds (lots of them) with git scheme in the main tree? Do we have any policy? Or does git have any other security checking?

cnd pushed a commit that referenced this pull request Feb 17, 2015
Merge pull request #84 from vladimir-lu/master
973e5a2 
Problem: Some ebuilds were using the insecure git:// url scheme
@cnd cnd merged commit 973e5a2 into gentoo:master Feb 17, 2015
@williamh
Copy link
Contributor

Unless there is something new that I don't know about, git:// is the preferred way to pull git repositories -- it is faster than https for one.

@cnd
Copy link
Contributor

cnd commented Feb 17, 2015

@williamh but what do you think about original message by @vladimir-lu it sounds fine for me for now. It will be sane to revert this commit if by working with git:// we can be safe. (offtop: granted you push access)

@vladimir-lu
Copy link
Author

It depends on who you want to trust and how far. The git:// protocol is basically plaintext and in theory all you need to verify after you clone is the sha1 sum of the latest commit that you care about. In practice, if you are using layman and not manually checking github, this is a bit like those md5sums that people put on their http:// site without any further signature.

https:// then gets you at least the guarantee that if you trust Github and the CA system, you know the code was the code that was in the gentoo-rust repository on Github.

Now you may go even further and say that we want all commits to be GPG-signed, but this is not infallible: http://mikegerwitz.com/papers/git-horror-story and in practice quite tricky to not mess up.

As for speed, I performed the following test:

#!/bin/sh

for i in `seq 1 20`; do
    rm -rf rust
    /usr/bin/time -p -a -o https-time.txt git clone https://github.com/rust-lang/rust.git
done

for i in `seq 1 20`; do
    rm -rf rust
    /usr/bin/time -p -a -o git-time.txt git clone git://github.com/rust-lang/rust.git
done

For the git:// protocol, the average real time was 50.79 and for https:// it was 50.63. At least on my 80Mbit connection it looks the same. In theory, https may be slower because the initial handshake is slower.

Note: https://gist.github.com/grawity/4392747 seems to have a good summary of the different git protocols

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@vladimir-lu @jauhien @williamh @cnd