ecosystem: rockspecs should not use insecure git protocol

[Totktonada]

We recently was hit by the following problem:

$ tarantoolctl rocks install luatest                                                                                                                                                               
Installing http://rocks.tarantool.org/luatest-scm-1.rockspec

Cloning into 'luatest'...
fatal: remote error: 
  The unauthenticated git protocol on port 9418 is no longer supported.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.

Error: Failed cloning git repository.

The reason is that GitHub is going to disable pulls using insecure git protocol: https://github.blog/2021-09-01-improving-git-protocol-security-github/.

Generally it means that we should replace url = 'git://github.com/<...>'.git rockspec directive with url = 'git+https://github.com/<...>.git'. (Caution: just url = 'https://<...>' means a tarball, not a git repository.)

I resolved the problem manually: updated all problematic rockspecs on rocks.tarantool.org (it is the server, which is used by default by tarantoolctl rocks [subcommand]).

However we should update rockspecs in repositories, because it is quite usual to deploy a rockspec from a project repository to rocks.tarantool.org automatically from CI (or manually, but the rockspec is anyway based on one from the repository).

We should also restrict rocks.tarantool.org server to decline rockspecs with insecure github.com repository URLs:

• Verify that git repository URL is secured with TLS (if on GitHub) rocks.tarantool.org#47

---

The list of rocks.tarantool.org rocks with status against this problem is the following (will be updated).

• argon2 (rockspec: use git+https:// for git repository URL argon2#2)
• argparse (unaffected, already git+https://)
• authman (rockspec: use git+https:// for git repository URL mailru/tarantool-authman#20)
• avro-schema (rockspec: use git+https:// for git repository URL avro-schema#143)
• cartridge (unaffected, already git+https://)
• cartridge-cli (unaffected, already git+https://; the rock is deprecated, it was rewritten in Go)
• cartridge-cli-extensions (unaffected, already git+https://)
• cartridge-extensions (unaffected, already git+https://)
• cbench (rockspec: use git+https:// for git repository URL cbench#7)
• checks (rockspec: use git+https:// for git repository URL checks#29)
• conf (https://github.com/tarantool/conf/pull/13)
• config (rockspec: use git+https:// for git repository URL config#10)
• connpool (rockspec: use git+https:// for git repository URL connpool#8)
• crud (unaffected, already git+https://)
• cron-parser (Change protocol of rock source cron-parser#8)
• date (rockspec: use git+https:// for git repository URL Tieske/date#27)
• ddl (unaffected, already git+https://)
• document (rockspec: use git+https:// for git repository URL document#8)
• dump (rockspec: use git+https:// for git repository URL dump#12)
• expirationd (rockspec: use git+https:// for git repository URL expirationd#91)
• frontend-core (unaffected, already git+https://)
• errors (unaffected, already git+https://)
• gis (rockspec: use git+https:// for git repository URL gis#18)
• gperftools (rockspec: use git+https:// for git repository URL gperftools#6)
• graphite (deprecated, will not receive updates)
• graphql (rockspec: use git+https:// for git repository URL graphql#23)
• graphqlapi (unaffected, already git+https://)
• graphqlide (unaffected, already git+https://)
• http (rockspec: use git+https:// for git repository URL http#148)
• http-v2-legacy (rockspec: actualize the rockpec for v2 http#149)
• icu-date (rockspec: use git+https:// for git repository URL icu-date#29)
• jsonpath (rockspec: use git+https:// for git repository URL lua-jsonpath#2)
• kafka (rockspec: use git+https:// for git repository URL kafka#47)
• ldecnumber (rockspec: use git+https:// for git repository URL ldecnumber#5)
• lpeglabel (unaffected, all rockspecs use tarball URLs)
• lrexlib-pcre (rockspec: use git+https:// for git repository URL rrthomas/lrexlib#41)
• lrexlib-pcre2 (rockspec: use git+https:// for git repository URL rrthomas/lrexlib#41)
• lua-term (unaffected, the rockspec uses a tarball URL)
• luacheck (unaffected, already git+https://)
• luacov (already git+https://, was updated here)
• luacov-console (rockspec: use git+https:// for git repository URL spacewander/luacov-console#2)
• luacov-reporters (rockspec: use git+https:// for git repository URL luacov-reporters#2)
• luafilesystem (rockspec: use git+https:// for git repository URL lunarmodules/luafilesystem#152)
• luagraphqlparser (rockspec: use git+https:// for git repository URL luagraphqlparser#7)
• luarapidxml (unaffected, already git+https://)
• luatest (rockspec: use git+https:// for git repository URL luatest#188)
• lulpeg (rockspec: sync rockspecs with rocks.tarantool.org LuLPeg#6)
• membership (unaffected, already git+https://)
• memcached (rockspec: use git+https:// for git repository URL memcached#72)
• metrics (Update url in rockspec metrics#320)
• migrate (rockspec: use git+https:// for git repository URL migrate#18)
• migrations (unaffected, already git+https://)
• modulekit (the rockspec is removed from rocks.tarantool.org, see below; but the repository is to be updated; rockspec: use git+https:// for git repository URL modulekit#7 and rockspec: use git+https:// for git repository URL modulekit#8)
• moonwalker (tarantool/moonwalker@36ba736)
• mqtt (rockspec: use git+https:// for git repository URL mqtt#43)
• mrasender (rockspec: use git+https:// for git repository URL mailru/mrasender#1)
• mysql (rockspec: use git+https:// for git repository URL mysql#62)
• pg (rockspec: use git+https:// for git repository URL pg#27)
• prometheus (deprecated, will not receive updates)
• queue (rockspec: use git+https:// for git repository URL queue#154)
• shard (deprecated, will not receive updates)
• sharded-queue (unaffected, already git+https://)
• smtp (rockspec: use git+https:// for git repository URL smtp#50)
• sqlparser (rockspec: use git+https:// for git repository URL sqlparser#14)
• stat (deprecated, will not receive updates)
• tarantool-lsp (rockspec: use git+https:// for git repository URL lua-lsp#14)
• tarantool-curl (deprecated, will not receive updates)
• template (rockspec: use git+https:// for git repository URL template#8)
• tnt-kafka (the old name of kafka, will not receive updates)
• tracing (tarantool/tracing@9feeae6)
• tradeparser (rockspec: use git+https:// for git repository URL tradeparser#4)
• tuple-keydef (rockspec: use git+https:// for git repository URL tuple-keydef#22)
• tuple-merger (rockspec: use git+https:// for git repository URL tuple-merger#28)
• vshard (rockspec: use git+https:// for git repository URL vshard#305)
• watchdog (rockspec: use git+https:// for git repository URL watchdog#20)
• websocket (rockspec: use git+https:// for git repository URL websocket#15)
• zookeeper (rockspec: use git+https:// for git repository URL zookeeper#11)

---

Removed the 'modulekit' rockspec from rocks.tarantool.org, because it is too old (corresponds to the old repository layout) and could not be installed anymore. The repository is splitted now to luakit and ckit branches. Since there is no much sense to deploy the template repository, I will not deploy 'luakit' and 'ckit' rocks instead of the 'modulekit' one.

---

luafun will be updated here:

• Make it work after github removed git:// support luafun/luafun#61

[tst2005]

Hello,
An alternative solution to patch each repository is to change the tool that using them.
Luarocks did it with luarocks/luarocks@9ff512e .
Maybe tarantool can also consider this way.

Regards,

[Totktonada]

@tst2005 Wow, I didn't aware of that. Filed #6597.

[Totktonada]

It is not in the list, but I also proposed the same change to luacov-coveralls: moteus/luacov-coveralls#30.

[Totktonada]

Remaining task:

• Verify that git repository URL is secured with TLS (if on GitHub) rocks.tarantool.org#47

[Totktonada]

Current status:

• All the rockspecs are updated on the rocks server.
• The rockspecs in the repositories are updated too, except:
  • authman (rockspec: use git+https:// for git repository URL mailru/tarantool-authman#20)
  • mrasender (rockspec: use git+https:// for git repository URL mailru/mrasender#1)
  • luacov-coveralls (rockspec: use git+https:// for git repository URL moteus/luacov-coveralls#30) (it is not listed in this issue, because it is not present on our rocks server)
• The server side task Verify that git repository URL is secured with TLS (if on GitHub) rocks.tarantool.org#47 is opened.

I think there is nothing to track here. Closing then.