Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix regression from 44b3bee #254

Merged
merged 1 commit into from Sep 25, 2018
Merged

Conversation

M0ses
Copy link
Collaborator

@M0ses M0ses commented Sep 24, 2018

with checking for local repos, usage of ssh compliant url's was no longer
possible.

This fix should reenable those type of urls as described in "man git-clone"

[user@]host.xy:path/to/repo

with checking for local repos, usage of ssh compliant url's was no longer
possible.

This fix should reenable those type of urls as described in "man git-clone"

[user@]host.xy:path/to/repo
@M0ses M0ses mentioned this pull request Sep 24, 2018
@gollub
Copy link
Contributor

gollub commented Sep 25, 2018

I can't access bug 1107507, but I guess the context of those changes were to prevent non-authorized users to create tarball from the local filesystems of the machine running the OBS source-service or some sort of hardening. With respect to Git and SSH and maybe some other SCM and transport protocols, there is obviously the risk of people trying "root@localhost:/root/devops.git" or something like that. If those changes were all in context of a security fix, maybe adding a security recommendation section in the README to point out that OBS source-service instances should only get credentials (e.g. SSH keys) with restricted access, to prevent unrestricted access of the central OBS filesystems. Or things like that.

I'm not suggesting to try to filter/exclude URLs like:

git@127.0.0.1:/root/devops.git
root@localhost:/root/chef-solo-obs.git

... or something like that.

In case that was the original motivation.

@M0ses M0ses merged commit 51a17c5 into openSUSE:master Sep 25, 2018
@M0ses M0ses deleted the alternative_ssh_urls branch November 29, 2018 10:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants