[bug:1489417] Gerrit shouldn't offer http or git for code download

[gluster-ant]

URL: https://bugzilla.redhat.com/1489417
Creator: mscherer at redhat
Time: 20170907T12:15:58

git protocol is in clear text, s we should avoid it since a attackant could do mitm and inject code that will be built (and likely executed) on user system.

[gluster-ant]

Time: 20170907T17:20:16
nigelb at redhat commented:
The intention here was to reduce the load on Gerrit servers. We should do the following to fix this up:

• Remove Giturl from the config so it's not advertised over the UI
• Setup a read-only replica of git repos on Gerrit for CI to consume.
• Get that to serve over HTTPS for CI system to clone.

The git clone is actively used by the CI system because it doesn't place load on Gerrit itself.

[gluster-ant]

Time: 20170907T22:16:45
mscherer at redhat commented:
We already have a reverse proxy in front of gerrit, so we can (maybe with lots of hack in the automation) do some magic to bypass gerrit for a specific url and/or vhost.

[gluster-ant]

Time: 20170908T04:00:49
nigelb at redhat commented:
The interest in the less hacky solution is so that we can bring down gerrit without majority affecting CI jobs, which will clone of our replicated git.

[gluster-ant]

Time: 20190527T01:51:27
sankarshan at redhat commented:
Are there plans to do further/additional work on this? If not, I'd request a CLOSED DEFERRED.

[gluster-ant]

Time: 20190612T12:17:18
mscherer at redhat commented:
Dunno, I think Nigel had a specific plan for this, but that's not on my radar. I would however keep it open so we do not forget, once more urgent stuff are done (or once we get more ressources, who would have a side effect of fixing more urgent stuff)

[mscherer]

We dropped gerrit, so closing