#30736 closed defect (fixed)

replacing insecure git:// with secure https://

Reported by: gh-Volker-Weissmann Owned by:
Priority: major Milestone: sage-9.3
Component: scripts Keywords: security git trac
Cc: vbraun, mkoeppe, embray, saraedum Merged in:
Authors: Volker Weissmann, Dima Pasechnik Reviewers: Dima Pasechnik, Matthias Koeppe
Report Upstream: N/A Work issues:
Branch: f482f0c (Commits, GitHub, GitLab) Commit: f482f0c25a5c50cba16252dc4f527fc7092be0b7
Dependencies: Stopgaps:

Status badges

Description (last modified by dimpase)

adjust documentation of Sage and git-trac to use https rather than git.

remove git_trac spkg, as the upstream should be used directly instead, and as our version is long obsolete.

Change History (58)

comment:1 Changed 13 months ago by gh-Volker-Weissmann

  • Branch set to u/gh-Volker-Weissmann/replacing_insecure_git____with_secure_https___

comment:2 Changed 13 months ago by gh-Volker-Weissmann

  • Branch u/gh-Volker-Weissmann/replacing_insecure_git____with_secure_https___ deleted
  • Component changed from PLEASE CHANGE to scripts
  • Keywords security git trac added
  • Priority changed from major to critical
  • Status changed from new to needs_review
  • Type changed from PLEASE CHANGE to defect

comment:3 Changed 13 months ago by gh-Volker-Weissmann

See https://github.com/sagemath/git-trac-command/pull/49 for the second part of this ticket. (This ticket won't work without the git trac PR).

comment:4 follow-up: Changed 13 months ago by dimpase

  • Cc vbraun added

The PR has been merged. So I suppose it's waiting for a new release, to update build/pkgs/git_trac/package-version.txt etc?

comment:5 Changed 13 months ago by gh-Volker-Weissmann

  • Branch set to u/gh-Volker-Weissmann/replacing_insecure_git____with_secure_https___

comment:6 in reply to: ↑ 4 ; follow-up: Changed 13 months ago by gh-Volker-Weissmann

  • Commit set to 1a15744f2fc9cf6de37ffb65f2fd9e91d43f5582

Replying to dimpase:

So I suppose it's waiting for a new release, to update build/pkgs/git_trac/package-version.txt etc?

I don't know what you are talking about. We don't touch build/pkgs/git_trac/package-version.txt .


New commits:

1a15744replaced insecure git:// with secure https:// or secure git over ssh

comment:7 in reply to: ↑ 6 Changed 13 months ago by dimpase

Replying to gh-Volker-Weissmann:

Replying to dimpase:

So I suppose it's waiting for a new release, to update build/pkgs/git_trac/package-version.txt etc?

I don't know what you are talking about. We don't touch build/pkgs/git_trac/package-version.txt

Sage can install git-trac as its optional package. This ticket updates git-trac, so I thought it should update the optional package too. However, the optional package looks abandoned, last touched in 2016.

Let's remove it here, it seems to be an oversight that it's not done years ago.

Last edited 13 months ago by dimpase (previous) (diff)

comment:8 Changed 13 months ago by dimpase

  • Authors set to Volker Weissmann
  • Branch changed from u/gh-Volker-Weissmann/replacing_insecure_git____with_secure_https___ to u/dimpase/replacing_insecure_git____with_secure_https___
  • Commit changed from 1a15744f2fc9cf6de37ffb65f2fd9e91d43f5582 to c28adeff5b638555daf89d82bce21750e070b8be
  • Description modified (diff)
  • Reviewers set to Dima Pasechnik
  • Status changed from needs_review to positive_review

New commits:

c28adefremove git_trac spkg

comment:9 Changed 13 months ago by dimpase

  • Status changed from positive_review to needs_review

comment:10 Changed 13 months ago by dimpase

  • Cc mkoeppe added

I am not sure about changes to docker/Dockerfile - isn't it replacing anonymous access with authenticated? Same for some scripts.

comment:11 Changed 13 months ago by dimpase

This looks wrong:

  • src/bin/sage-env

    a b SINGULARPATH="$SAGE_LOCAL/share/singular" && export SINGULARPATH 
    352352SINGULAR_EXECUTABLE="$SAGE_LOCAL/bin/Singular" && export SINGULAR_EXECUTABLE
    353353
    354354if [ -z "$SAGE_REPO_ANONYMOUS" ]; then
    355     SAGE_REPO_ANONYMOUS="git://trac.sagemath.org/sage.git"
     355    SAGE_REPO_ANONYMOUS="git@trac.sagemath.org:sage.git"
    356356    export SAGE_REPO_ANONYMOUS
    357357fi
    358358if [ -z "$SAGE_REPO_AUTHENTICATED" ]; then

as this is anonymous access, as opposed to authenticated. So it should be left alone (as our git server does not provide http(s): access, only git: and ssh:.

comment:12 Changed 13 months ago by dimpase

on the other hand, SAGE_REPO_ANONYMOUS is only used in build/bin/sage-clone-source - a script that is currently not used, so it's OK to change it like this.

But the dockerfile may be used by various bots, so it really matters that it's an anonymous access. The proper fix would be to enable https: on Sage's git server, but I am so not looking forward to this exercise... Perhaps it might be easier to add a server-side post-commit hook to push changes to the github mirror https://github.com/sagemath/sagetrac-mirror, and use it for read access instead.

comment:13 follow-up: Changed 13 months ago by gh-Volker-Weissmann

The problem with using git clone git://trac.sagemath.org/sage.git is that it does not check whether the cloned source code actually originates from sagemath.org. If a hacker got control over e.g. the router, he could manipulate the cloned source code to include malware that gets executed once you build sagemath. This is an unacceptable security vulnerability that needs to be fixed by either using https or ssh.

I tried https://trac.sagemath.org/sage.git, but this is not supported from server-site. I don't see the problem with having git clone git@…:sage.git . A bot could do that, but maybe it would require setting the correct ssh fingerprint like in my other PR:

https://github.com/sagemath/git-trac-command/pull/49/commits/1cf840b144bb49a3948361cd3368db430b75deec

comment:14 in reply to: ↑ 13 ; follow-up: Changed 13 months ago by dimpase

  • Cc embray added

Replying to gh-Volker-Weissmann:

The problem with using git clone git://trac.sagemath.org/sage.git is that it does not check whether the cloned source code actually originates from sagemath.org. If a hacker got control over e.g. the router, he could manipulate the cloned source code to include malware that gets executed once you build sagemath. This is an unacceptable security vulnerability that needs to be fixed by either using https or ssh.

I tried https://trac.sagemath.org/sage.git, but this is not supported from server-site.

yes, I know, I have admin rights for the host running trac.sagemath.org, and setting https access seems to be a tricky task. I can't seem to be able to find a guide on how to do this, although I didn't try too hard. The Git Book only talks about http, not https.

I don't see the problem with having git clone git@…:sage.git . A bot could do that, but maybe it would require setting the correct ssh fingerprint like in my other PR:

I don't see how this could be useful. A typical bot would be, say, a host running GitHub Actions task, and the problem of distributing the keys seems to be a rather tricky one. Indeed, we do not have a way to have a read-only access rights, and so uploading an ssh key-pair to a random host does breach our security just as well.

https://github.com/sagemath/git-trac-command/pull/49/commits/1cf840b144bb49a3948361cd3368db430b75deec

comment:15 in reply to: ↑ 14 ; follow-up: Changed 13 months ago by gh-Volker-Weissmann

Replying to dimpase:

I don't see how this could be useful. A typical bot would be, say, a host running GitHub Actions task, and the problem of distributing the keys seems to be a rather tricky one. Indeed, we do not have a way to have a read-only access rights, and so uploading an ssh key-pair to a random host does breach our security just as well.

https://github.com/sagemath/git-trac-command/pull/49/commits/1cf840b144bb49a3948361cd3368db430b75deec

Why does uploading an ssh key to a random host breach your security? Its a public key, its meant to be public. If you don't like hard-coded keys, and you can't manage to activate https on the git server, you could make a https site with the correct public ssh fingerprints. Then we could download the key using https and add them into the known_hosts file. If you don't like editing the ~/.ssh/known_hosts file, git clone can pass options to ssh and ssh has an option to use a different known_hosts file.

The only alternative I see is enabling https or switching from trac to a software that supports https.

Last edited 13 months ago by gh-Volker-Weissmann (previous) (diff)

comment:16 in reply to: ↑ 15 ; follow-up: Changed 13 months ago by dimpase

Replying to gh-Volker-Weissmann:

Replying to dimpase:

I don't see how this could be useful. A typical bot would be, say, a host running GitHub Actions task, and the problem of distributing the keys seems to be a rather tricky one. Indeed, we do not have a way to have a read-only access rights, and so uploading an ssh key-pair to a random host does breach our security just as well.

https://github.com/sagemath/git-trac-command/pull/49/commits/1cf840b144bb49a3948361cd3368db430b75deec

Why does uploading an ssh key to a random host breach your security? Its a public key, its meant to be public.

no, the bot needs a key-pair to be able to pull via ssh, just as a normal user needs a key-pair. Giving a pre-existing key-pair to the bot is not secure, and certainly a bot cannot generate a key-pair and upload the public key.

comment:17 Changed 13 months ago by dimpase

I've set up a post-commit hook on trac so that everything pushed gets immediatelly mirrored to https://github.com/sagemath/sagetrac-mirror - from which one can pull with https:. So in the scripts one can replace trac with github.com/sagemath/sagetrac-mirror

comment:18 in reply to: ↑ 16 ; follow-up: Changed 13 months ago by gh-Volker-Weissmann

Replying to dimpase:

Replying to gh-Volker-Weissmann:

Replying to dimpase:

I don't see how this could be useful. A typical bot would be, say, a host running GitHub Actions task, and the problem of distributing the keys seems to be a rather tricky one. Indeed, we do not have a way to have a read-only access rights, and so uploading an ssh key-pair to a random host does breach our security just as well.

https://github.com/sagemath/git-trac-command/pull/49/commits/1cf840b144bb49a3948361cd3368db430b75deec

Why does uploading an ssh key to a random host breach your security? Its a public key, its meant to be public.

no, the bot needs a key-pair to be able to pull via ssh, just as a normal user needs a key-pair. Giving a pre-existing key-pair to the bot is not secure, and certainly a bot cannot generate a key-pair and upload the public key.

If I set the correct public key in my .ssh/known_hosts file, I can just execute git clone git@…:sage.git I don't know why the bot should not be able to do that.

comment:19 in reply to: ↑ 18 Changed 13 months ago by dimpase

Replying to gh-Volker-Weissmann:

If I set the correct public key in my .ssh/known_hosts file, I can just execute git clone git@…:sage.git I don't know why the bot should not be able to do that.

isn't it working because you have ssh-agent running, and your public key is already on trac? IMHO git via ssh always does ssh authentication, even git clone - although I might be wrong here.

comment:20 follow-up: Changed 13 months ago by dimpase

Well, yes, I am right, I did an experiment - created a new user, logged in, and

foo@hilbert ~ $ git clone git@github.com:sage/sage.git
Cloning into 'sage'...
The authenticity of host 'github.com (140.82.121.4)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'github.com,140.82.121.4' (RSA) to the list of known hosts.
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
foo@hilbert ~ $ 
foo@hilbert ~ $ git clone git@github.com:sage/sage.git
Cloning into 'sage'...
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
foo@hilbert ~ $ git clone git@trac.sagemath.org:sage.git
Cloning into 'sage'...
The authenticity of host 'trac.sagemath.org (104.197.143.230)' can't be established.
ECDSA key fingerprint is SHA256:4Op/q3b5792x+F1lHSKRi5UIORAPDlIFVA5cUq9YVXI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'trac.sagemath.org,104.197.143.230' (ECDSA) to the list of known hosts.
git@trac.sagemath.org: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
foo@hilbert ~ $ git clone git@trac.sagemath.org:sage.git
Cloning into 'sage'...
git@trac.sagemath.org: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Thus, well, no, it won't fly.

comment:21 in reply to: ↑ 20 Changed 13 months ago by gh-Volker-Weissmann

Replying to dimpase:

Well, yes, I am right, I did an experiment - created a new user, logged in, and

foo@hilbert ~ $ git clone git@github.com:sage/sage.git
Cloning into 'sage'...
The authenticity of host 'github.com (140.82.121.4)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'github.com,140.82.121.4' (RSA) to the list of known hosts.
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
foo@hilbert ~ $ 
foo@hilbert ~ $ git clone git@github.com:sage/sage.git
Cloning into 'sage'...
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
foo@hilbert ~ $ git clone git@trac.sagemath.org:sage.git
Cloning into 'sage'...
The authenticity of host 'trac.sagemath.org (104.197.143.230)' can't be established.
ECDSA key fingerprint is SHA256:4Op/q3b5792x+F1lHSKRi5UIORAPDlIFVA5cUq9YVXI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'trac.sagemath.org,104.197.143.230' (ECDSA) to the list of known hosts.
git@trac.sagemath.org: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
foo@hilbert ~ $ git clone git@trac.sagemath.org:sage.git
Cloning into 'sage'...
git@trac.sagemath.org: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Thus, well, no, it won't fly.

Oh no, that's not good, I didn't knew that. I think you will have to setup https then.

comment:22 Changed 13 months ago by git

  • Commit changed from c28adeff5b638555daf89d82bce21750e070b8be to b69a573ec475cd0087d0f79277855ab1fcbafe9f

Branch pushed to git repo; I updated commit sha1. New commits:

b69a573use github in README

comment:23 follow-up: Changed 13 months ago by dimpase

I suppose we can get away with github.com/sagemath/sagetrac-mirror.git repo (which does allow https) for all the Docker-related stuff and CI. Now committing to git trac goes to there, too. E.g. here is what I saw as I pushed the last commit:

$ git push trac HEAD
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 4 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 308 bytes | 308.00 KiB/s, done.
Total 3 (delta 2), reused 0 (delta 0), pack-reused 0
remote: Trac #30736: Commit changed to b69a57.
remote: To git@github.com:sagemath/sagetrac-mirror.git
remote:    c28adef..b69a573  u/dimpase/replacing_insecure_git____with_secure_https___ -> u/dimpase/replacing_insecure_git____with_secure_https___
To trac.sagemath.org:sage.git
   c28adeff5b..b69a573ec4  HEAD -> u/dimpase/replacing_insecure_git____with_secure_https___

the only drawback is that it's a bit slow (we can think for doing pushing to GitHub in the background).

comment:24 Changed 13 months ago by gh-Volker-Weissmann

Seems like a good idea.

comment:25 in reply to: ↑ 23 Changed 12 months ago by gh-Volker-Weissmann

Replying to dimpase:

I suppose we can get away with github.com/sagemath/sagetrac-mirror.git repo (which does allow https) for all the Docker-related stuff and CI. Now committing to git trac goes to there, too. E.g. here is what I saw as I pushed the last commit:

$ git push trac HEAD
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 4 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 308 bytes | 308.00 KiB/s, done.
Total 3 (delta 2), reused 0 (delta 0), pack-reused 0
remote: Trac #30736: Commit changed to b69a57.
remote: To git@github.com:sagemath/sagetrac-mirror.git
remote:    c28adef..b69a573  u/dimpase/replacing_insecure_git____with_secure_https___ -> u/dimpase/replacing_insecure_git____with_secure_https___
To trac.sagemath.org:sage.git
   c28adeff5b..b69a573ec4  HEAD -> u/dimpase/replacing_insecure_git____with_secure_https___

the only drawback is that it's a bit slow (we can think for doing pushing to GitHub in the background).

Do you want to code that, or should I code that?

comment:26 follow-up: Changed 12 months ago by dimpase

  • Status changed from needs_review to positive_review

I broke the github.com/sagemath/sagetrac-mirror.git while playing with the commit hook, removed it, and for some reason cannot re-create it on github - looks like a github problem, direct pushing from trac server of a 300Mb repo with lots of refs ends with weird

...
! [remote failure]  9.2.beta9 -> 9.2.beta9 (remote failed to report status)
! [remote failure]  9.2.rc0 -> 9.2.rc0 (remote failed to report status)
error: failed to push some refs to 'git@github.com:sagemath/sagetrac-mirror.git'

If you have time please feel free to play with this (in your own GitHub repo, you can always transfer the ownership later): clone the trac repo with --mirror option, then try to push it to GitHub.


The ticket is meanwhile good to go, as the affected by it Docker and script things are currently not in use.

comment:27 Changed 12 months ago by gh-Volker-Weissmann

  • Branch changed from u/dimpase/replacing_insecure_git____with_secure_https___ to u/gh-Volker-Weissmann/replacing_insecure_git____with_secure_https___

comment:28 in reply to: ↑ 26 Changed 12 months ago by gh-Volker-Weissmann

  • Commit changed from b69a573ec475cd0087d0f79277855ab1fcbafe9f to 86b885dc406fef8fc6935835c0a7a2f2fe927a56

Because you said, that the script is currently not in use, I just disabled it and added a link to this ticket.


New commits:

86b885dDisabled a broken script

comment:29 Changed 12 months ago by dimpase

  • Status changed from positive_review to needs_info

Oops, sorry, sage-clone-source is actually used in sage-sdist, which is, AFAIK, a part of Volker B.'s (vbraun) workflow to make distributions. But we can assume that vbraun does use ssh authentication to pull from git trac, I suppose? Volker?

Last edited 12 months ago by dimpase (previous) (diff)

comment:30 follow-up: Changed 12 months ago by mkoeppe

  • Status changed from needs_info to needs_work

sage-sdist is also used in CI - see .github/workflows/tox.yml, job dist.

comment:31 in reply to: ↑ 30 Changed 12 months ago by dimpase

Replying to mkoeppe:

sage-sdist is also used in CI - see .github/workflows/tox.yml, job dist.

but there it's not pulling from Sage's git repo, if I understood you correctly, right?

comment:32 follow-up: Changed 12 months ago by mkoeppe

I had forgotten about this particular one. This one uses make dist, which leads to the use of SAGE_REPO_ANONYMOUS.

The idea of make dist (sage-clone-source), by the way, is that the source distribution (like the binary packages) distributes a .git directory that has a git remote that is accessible to any user...

comment:33 in reply to: ↑ 32 Changed 12 months ago by dimpase

Replying to mkoeppe:

I had forgotten about this particular one. This one uses make dist, which leads to the use of SAGE_REPO_ANONYMOUS.

The idea of make dist (sage-clone-source), by the way, is that the source distribution (like the binary packages) distributes a .git directory that has a git remote that is accessible to any user...

What branches are meant to be exposed this way? Experimental ones? One way or another, using a mirror rather than the git trac server could be better also for scalability (also removes the need to set up https access on git trac, something I'm not keen on doing, as it seems to be dark art :-)).

I'm currenly building up a mirror on GitLab - pushing all the branches one by one, otherwise it chokes up, so it should be ready in a day or two.

comment:34 Changed 12 months ago by dimpase

There is also already functional https://gitlab.com/sagemath/dev/trac.git - which does updates by pulling using git://, so that currently defeats its purpose, security-wise. It should be possible to make it use ssh (not sure if we're in a tier that allows this for free). As well, it does pull every 30 minutes (or even a bit less often), so there is a delay.

comment:35 Changed 12 months ago by dimpase

  • Cc saraedum added

comment:36 Changed 12 months ago by dimpase

Finally I got a push mirror running on https://gitlab.com/sagemath/dev/tracmirror - so this should be used whereever possible to reduce the load on our git server, and use https: in place of git:.

Sorry that it took so long.

comment:37 Changed 12 months ago by dimpase

  • Branch changed from u/gh-Volker-Weissmann/replacing_insecure_git____with_secure_https___ to public/replacing_insecure_git____with_secure_https___
  • Commit changed from 86b885dc406fef8fc6935835c0a7a2f2fe927a56 to c6a947d138981d089a38b47d98d02f47d423e190
  • Status changed from needs_work to needs_review

New commits:

1ebc40dreplaced insecure git:// with secure https:// or secure git over ssh
6cf3cd0Disabled a broken script
ecefe50Revert "Disabled a broken script"
c6a947dused https gitlab push mirror where appropriate

comment:38 Changed 12 months ago by git

  • Commit changed from c6a947d138981d089a38b47d98d02f47d423e190 to 6797e46d64442438c7e82c598538ab97b12308c6

Branch pushed to git repo; I updated commit sha1. New commits:

6797e46remove git_trac spkg

comment:39 Changed 12 months ago by dimpase

OK, so now it's as intended. Please review.

comment:40 follow-up: Changed 12 months ago by embray

I don't understand how this is different from https://gitlab.com/sagemath/dev/trac which we already had.

comment:41 in reply to: ↑ 40 Changed 12 months ago by dimpase

Replying to embray:

I don't understand how this is different from https://gitlab.com/sagemath/dev/trac which we already had.

the old one is a pull mirror, so there is a 30+ min delay in updating it, as opposed to the new one, which is a push mirror, updated immediately via push from trac git server (via a post-receive commit hook)

Last edited 12 months ago by dimpase (previous) (diff)

comment:42 follow-up: Changed 12 months ago by mkoeppe

This change seems to have been made mechanically without checking whether the server exists

--- a/build/pkgs/tdlib/SPKG.rst
+++ b/build/pkgs/tdlib/SPKG.rst
@@ -24,7 +24,7 @@ Upstream Contact
 ----------------
 
 - Lukas Larisch (larisch@informatik.uni-frankfurt.de)
-- git-repo: git://pholia.tdi.cs.uni-frankfurt.de/git/tdlib
+- git-repo: https://pholia.tdi.cs.uni-frankfurt.de/git/tdlib
Last edited 12 months ago by mkoeppe (previous) (diff)

comment:43 follow-up: Changed 12 months ago by mkoeppe

 if [ -z "$SAGE_REPO_ANONYMOUS" ]; then
-    SAGE_REPO_ANONYMOUS="git://trac.sagemath.org/sage.git"
+    SAGE_REPO_ANONYMOUS="https://gitlab.com/sagemath/dev/tracmirror.git"
     export SAGE_REPO_ANONYMOUS
 fi

This is the one that the source tarballs made using make dist will be referring to. Why is this one using gitlab instead of the new mirror?

comment:44 in reply to: ↑ 43 ; follow-up: Changed 12 months ago by mkoeppe

Replying to mkoeppe:

 if [ -z "$SAGE_REPO_ANONYMOUS" ]; then
-    SAGE_REPO_ANONYMOUS="git://trac.sagemath.org/sage.git"
+    SAGE_REPO_ANONYMOUS="https://gitlab.com/sagemath/dev/tracmirror.git"
     export SAGE_REPO_ANONYMOUS
 fi

This is the one that the source tarballs made using make dist will be referring to. Why is this one using gitlab instead of the new mirror?

Sorry, I meant: Why is this one not using the github URL to match what is advertised in README?

comment:45 in reply to: ↑ 44 Changed 12 months ago by dimpase

Replying to mkoeppe:

Replying to mkoeppe:

 if [ -z "$SAGE_REPO_ANONYMOUS" ]; then
-    SAGE_REPO_ANONYMOUS="git://trac.sagemath.org/sage.git"
+    SAGE_REPO_ANONYMOUS="https://gitlab.com/sagemath/dev/tracmirror.git"
     export SAGE_REPO_ANONYMOUS
 fi

This is the one that the source tarballs made using make dist will be referring to. Why is this one using gitlab instead of the new mirror?

Sorry, I meant: Why is this one not using the github URL to match what is advertised in README?

on github we now only have a repo with develop and master branches (and all the tags for betas/rcs, starting from 8.5.beta1)

the gitlab repo used on this ticket is a true push mirror, carrying all the branches, and only behind the git trac server by seconds. (and as git trac does not allow https access, we use the gitlab repo, which does allow https)

comment:46 Changed 12 months ago by mkoeppe

That's great, thanks for the explanation.

comment:47 follow-up: Changed 12 months ago by mkoeppe

I think sage-clone-source should be changed so that either the push URL is removed, or set to trac.

comment:48 in reply to: ↑ 47 Changed 12 months ago by mkoeppe

Replying to mkoeppe:

I think sage-clone-source should be changed so that either the push URL is removed, or set to trac.

Right now we have:

$ git remote -v
origin	https://gitlab.com/sagemath/dev/tracmirror.git (fetch)
origin	https://gitlab.com/sagemath/dev/tracmirror.git (push)

comment:49 Changed 12 months ago by mkoeppe

diff --git a/build/bin/sage-clone-source b/build/bin/sage-clone-source
index 6720ea7391..dbbf33a786 100755
--- a/build/bin/sage-clone-source
+++ b/build/bin/sage-clone-source
@@ -35,6 +35,7 @@ git clone "$SRC" "$DST"
 
 cd "$DST"
 git remote set-url origin "$SAGE_REPO_ANONYMOUS"
+git remote set-url --push origin "$SAGE_REPO_AUTHENTICATED"
 
 # Save space
 git gc --aggressive --prune=now

comment:50 in reply to: ↑ 42 Changed 12 months ago by dimpase

Replying to mkoeppe:

This change seems to have been made mechanically without checking whether the server exists

I agree. It seems that the current active upstream is at https://github.com/freetdi/tdlib and the old servers are long gone. (email is obsolete too, the current affiliation of Larisch appears to be KAUST: https://cemse.kaust.edu.sa/cs/people/person/lukas-larisch)

I'll fix this.

comment:51 Changed 12 months ago by dimpase

I've opened #30813 to investigate a possibility to update tdlib.

comment:52 Changed 12 months ago by git

  • Commit changed from 6797e46d64442438c7e82c598538ab97b12308c6 to f482f0c25a5c50cba16252dc4f527fc7092be0b7

Branch pushed to git repo; I updated commit sha1. New commits:

c9a542fcorrect push URL - needs authentication
f482f0cupdate tdlib info

comment:53 Changed 12 months ago by mkoeppe

  • Authors changed from Volker Weissmann to Volker Weissmann, Dima Pasechnik
  • Priority changed from critical to blocker
  • Reviewers changed from Dima Pasechnik to Dima Pasechnik, Matthias Koeppe
  • Status changed from needs_review to positive_review

comment:54 Changed 12 months ago by vbraun

  • Priority changed from blocker to major

Not a blocker

comment:55 Changed 12 months ago by dimpase

well, if you prefer leaving security holes open...

comment:56 Changed 12 months ago by mkoeppe

  • Milestone changed from sage-9.2 to sage-9.3

comment:57 Changed 12 months ago by chapoton

will this allow to fix our current docker hub problem ?

Apparently if fails on the following line in docker/Dockerfile:

git remote add trac git://trac.sagemath.org/sage.git

See https://gitlab.com/sagemath/sage/-/pipelines

comment:58 Changed 12 months ago by vbraun

  • Branch changed from public/replacing_insecure_git____with_secure_https___ to f482f0c25a5c50cba16252dc4f527fc7092be0b7
  • Resolution set to fixed
  • Status changed from positive_review to closed
Note: See TracTickets for help on using tickets.