bug-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#22883: Trustable "guix pull"


From: fluxboks
Subject: bug#22883: Trustable "guix pull"
Date: Sun, 15 May 2016 15:40:49 +0300
User-agent: Roundcube Webmail/1.0.6

Please, for the love of all/any gods!(if any)
Fix this issue :)
For example, you can get this https to work: https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
(it doesn't currently)

$ wget https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
--2016-05-15 15:32:15-- https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
Resolving git.savannah.gnu.org... 208.118.235.72
Connecting to git.savannah.gnu.org|208.118.235.72|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

Chromium says:
This site can’t provide a secure connection

git.savannah.gnu.org sent an invalid response.
Learn more about this problem.
ERR_SSL_PROTOCOL_ERROR

This works just fine though: https://savannah.gnu.org/ and https://gnu.org/ and https://www.gnu.org/

As a reminder, letsencrypt and startssl are a thing - both provide free certs. If that's the issue.

But I presume there must be another reason why there's no https, therefore would you please consider hosting it somewhere like github? or if github isn't inline with GNU(for whatever reasons, eg. license), then surely notabug.org is(according to libreboot which recommends it instead of github)! Please, pretty please, consider it. At the very least you could host a mirror/clone there(if not make it the permanent home of the repo.) and someone(a dev) could push to both without even having two remotes(ie. just the origin remote with two push urls is okay); so when push-ing, both savannah and notabug would get updated(see below how), and thus we(the users) could use the notabug link to get master.tar.gz which would then be https.
It would be something like this:
https://https://notabug.org/guixuser/guix/archive/master.tar.gz
(so it's .gz not .xz, is that worse than serving it over plain http?)
I would actually recommend github for increased reliability, but whatever! As long as it's not served over http anymore! Or find some way of signing it? that's going to be harder than this!

Here's how to have two push refs in the same remote(origin):
Suppose that this
git remove -v show
shows this:
origin  https://github.com/gorhill/uMatrix.git (fetch)
origin  https://github.com/gorhill/uMatrix.git (push)
Then to add another push url to the same origin remote, you'd do:
re-add the already existing push url(from above):
git remote set-url --add --push origin https://github.com/gorhill/uMatrix.git
now, this
git remote -v show
would show no changes!
and now add the new one:
git remote set-url --add --push origin address@hidden:somethingelse/uMatrix.git
and now, this
git remote -v show
would show:
origin  https://github.com/gorhill/uMatrix.git (fetch)
origin  https://github.com/gorhill/uMatrix.git (push)
origin  address@hidden:somethingelse/uMatrix.git (push)

So when you do 'git push', it will push to both (so it will prompt for your ssh key password twice).

Of course for you the 'https://' urls from above would be 'git@' instead! (they just happen to be https for me, since I don't have push access)

I want to be honest here: this bug is a show stopper for me! It makes me draw certain unfavorable conclusions about the mentality and seriousness of the guix project devs. I wish it wouldn't, but really can you blame me? I want to use guix but not until something's done about this so that MITM is unlikely to happen here. At the very least let me pull this over https, please!

If you use notabug.org then not only we(the users) can get/clone the git repo over https, but we can also get/clone it over ssh! (instead of over just plain git://). So that'd be two rabbits in one shot!

Please let me know if anything is going to be done about this, so that I would know what to do next: wait or move on. No hard feels. Presumably any direct answer would be better than no answer, so that I would know what to do, rather than waste time waiting for an answer...
Thank you and I appreciate your time in reading all this!

-signed, an idiot. ;-) #whohasselfesteemamirite






reply via email to

[Prev in Thread] Current Thread [Next in Thread]