Gnus Git repository info and comitters: need updated password

Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

What's coming: as soon as the Git repo is ready, it will be available
over HTTP for read-only access and over HTTPS+WebDAV for comitters.  If
you want to help with the migration (porting the CVS repository over),
let me know and I'll give you write access to the current
repository.

You can look at it read-only right now at http://git.gnus.org/gnus.git
but it may need to be completely redone before it's finalized.  I
imported the history from git://randomsample.de/gnus.git (thanks to
David Engster) but it needs to be verified.  It's 1.6 GB on the server
so a git clone takes a while (I don't know a good way to make it
faster).  At least the current checkout is the same as the CVS checkout,
except for

2010-04-01  Andreas Schwab  <schwab@linux-m68k.org>

which is only in CVS right now.

If you are a Gnus repository comitter, I need you to generate a new
password for the upcoming Git repository for Gnus.  If you don't, you
will not have the commit bit; I will not generate a default password for
you.  I am bcc-ing all the current comitters; if you are not a comitter
but believe you should be, send me and Reiner Steib an e-mail.  If you
don't reply I'll assume you don't need the commit bit for now, so
contact me at your leisure.

Comitter instructions: just run (your-favorite-username being whatever
you have used with Gnus CVS):

htpasswd -nd your-favorite-username

and send the output to me.  This password should not be used anywhere
else.

Big thanks to Lars, he did a lot to get us going, including putting up
with my nagging and of course hosting the repository machine and
bandwidth :)

Ted

Re: Gnus Git repository info and comitters: need updated password

[David Engster]

Ted Zlatanov <tzz@lifelogs.com> writes:
> but it may need to be completely redone before it's finalized.  I
> imported the history from git://randomsample.de/gnus.git (thanks to
> David Engster) but it needs to be verified.  It's 1.6 GB on the server
> so a git clone takes a while

You probably want to repack that. My gnus.git is about 25 MB.

> (I don't know a good way to make it faster).

Using the git protocol instead of http would speed things up considerably.

I should also mention that I did a straight git-cvsimport from the CVS
repo, which included the fixes by Andreas Schwab. I don't know if
cvsimport can handle everything, so maybe some additional manual fixing
is necessary. Andreas surely knows more about that kinda stuff than I
do, and I remember he also did a conversion back then.

-David

Re: Gnus Git repository info and comitters: need updated password

[Adam Sjøgren]

On Mon, 12 Apr 2010 10:31:34 +0200, David wrote:

>> (I don't know a good way to make it faster).

> Using the git protocol instead of http would speed things up
> considerably.

There is, btw., improved http-support in git, but I guess it needs some
configuration on the webserver (and a new(ish) client):

 * http://progit.org/2010/03/04/smart-http.html


  Best regards,

     Adam

-- 
 "Simsala-hyp!"                                               Adam Sjøgren
                                                         asjo@koldfront.dk

Re: Gnus Git repository info and comitters: need updated password

[Andreas Schwab]

Ted Zlatanov <tzz@lifelogs.com> writes:

> You can look at it read-only right now at http://git.gnus.org/gnus.git

$ host git.gnus.org
Host git.gnus.org not found: 3(NXDOMAIN)

> but it may need to be completely redone before it's finalized.  I
> imported the history from git://randomsample.de/gnus.git (thanks to
> David Engster) but it needs to be verified.  It's 1.6 GB on the server

How did you manage to do that??  A clone should not produce anything
bigger than the cloned repository.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus Git repository info and comitters: need updated password

[Andreas Schwab]

David Engster <deng@randomsample.de> writes:

> I should also mention that I did a straight git-cvsimport from the CVS
> repo, which included the fixes by Andreas Schwab. I don't know if
> cvsimport can handle everything, so maybe some additional manual fixing
> is necessary. Andreas surely knows more about that kinda stuff than I
> do, and I remember he also did a conversion back then.

Your did not use an author file so all authors/commiters are missing
full names.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Mon, 12 Apr 2010 19:27:05 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 

AS> Ted Zlatanov <tzz@lifelogs.com> writes:
>> You can look at it read-only right now at http://git.gnus.org/gnus.git

AS> $ host git.gnus.org
AS> Host git.gnus.org not found: 3(NXDOMAIN)

Sorry, it works here so I don't know why it fails for you:

git.gnus.org has address 80.91.231.55

>> but it may need to be completely redone before it's finalized.  I
>> imported the history from git://randomsample.de/gnus.git (thanks to
>> David Engster) but it needs to be verified.  It's 1.6 GB on the server

AS> How did you manage to do that??  A clone should not produce anything
AS> bigger than the cloned repository.

I didn't remember to repack.

Ted

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Mon, 12 Apr 2010 10:31:34 +0200 David Engster <deng@randomsample.de> wrote: 

DE> Using the git protocol instead of http would speed things up considerably.

I set up the git-daemon so as soon as the firewall port is opened it will
be available.

On Mon, 12 Apr 2010 19:36:15 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 

AS> David Engster <deng@randomsample.de> writes:

>> I should also mention that I did a straight git-cvsimport from the CVS
>> repo, which included the fixes by Andreas Schwab. I don't know if
>> cvsimport can handle everything, so maybe some additional manual fixing
>> is necessary. Andreas surely knows more about that kinda stuff than I
>> do, and I remember he also did a conversion back then.

AS> Your did not use an author file so all authors/commiters are missing
AS> full names.

Can this be fixed now or do we need a new CVS import?

Thanks
Ted

Re: Gnus Git repository info and comitters: need updated password

[Bjørn Mork]

Ted Zlatanov <tzz@lifelogs.com> writes:
> On Mon, 12 Apr 2010 19:27:05 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 
>
> AS> Ted Zlatanov <tzz@lifelogs.com> writes:
>>> You can look at it read-only right now at http://git.gnus.org/gnus.git
>
> AS> $ host git.gnus.org
> AS> Host git.gnus.org not found: 3(NXDOMAIN)
>
> Sorry, it works here so I don't know why it fails for you:
>
> git.gnus.org has address 80.91.231.55

There are quite a few things wrong with the gnus.org zone:

1) NS mismatch:

bjorn@canardo:~$ dig ns gnus.org @a0.org.afilias-nst.info.

; <<>> DiG 9.5.1-P3 <<>> ns gnus.org @a0.org.afilias-nst.info.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56044
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;gnus.org.                      IN      NS

;; AUTHORITY SECTION:
gnus.org.               86400   IN      NS      ns2.netfonds.net.
gnus.org.               86400   IN      NS      ns1.netfonds.com.

;; Query time: 266 msec
;; SERVER: 2001:500:e::1#53(2001:500:e::1)
;; WHEN: Mon Apr 12 20:23:24 2010
;; MSG SIZE  rcvd: 86

bjorn@canardo:~$ dig ns gnus.org @ns1.netfonds.com

; <<>> DiG 9.5.1-P3 <<>> ns gnus.org @ns1.netfonds.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8281
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;gnus.org.                      IN      NS

;; ANSWER SECTION:
gnus.org.               3600    IN      NS      ns2.netfonds.com.
gnus.org.               3600    IN      NS      ns1.netfonds.com.
gnus.org.               3600    IN      NS      ns1.psychetect.com.

;; ADDITIONAL SECTION:
ns1.netfonds.com.       86400   IN      A       80.91.224.199
ns2.netfonds.com.       86400   IN      A       80.91.224.245

;; Query time: 43 msec
;; SERVER: 80.91.224.199#53(80.91.224.199)
;; WHEN: Mon Apr 12 20:24:42 2010
;; MSG SIZE  rcvd: 135


2) authoritative servers not in sync:

bjorn@canardo:~$ dig soa gnus.org @ns1.netfonds.com

; <<>> DiG 9.5.1-P3 <<>> soa gnus.org @ns1.netfonds.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5476
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;gnus.org.                      IN      SOA

;; ANSWER SECTION:
gnus.org.               3600    IN      SOA     ns1.netfonds.com. hostmaster.netfonds.no. 2010041100 3600 7200 604800 3600

;; AUTHORITY SECTION:
gnus.org.               3600    IN      NS      ns1.psychetect.com.
gnus.org.               3600    IN      NS      ns2.netfonds.com.
gnus.org.               3600    IN      NS      ns1.netfonds.com.

;; ADDITIONAL SECTION:
ns1.netfonds.com.       86400   IN      A       80.91.224.199
ns2.netfonds.com.       86400   IN      A       80.91.224.245

;; Query time: 37 msec
;; SERVER: 80.91.224.199#53(80.91.224.199)
;; WHEN: Mon Apr 12 20:25:26 2010
;; MSG SIZE  rcvd: 193

bjorn@canardo:~$ dig soa gnus.org @ns2.netfonds.com

; <<>> DiG 9.5.1-P3 <<>> soa gnus.org @ns2.netfonds.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40843
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;gnus.org.                      IN      SOA

;; ANSWER SECTION:
gnus.org.               3600    IN      SOA     ns1.netfonds.com. hostmaster.netfonds.no. 2010010800 3600 7200 604800 3600

;; AUTHORITY SECTION:
gnus.org.               3600    IN      NS      ns1.netfonds.com.
gnus.org.               3600    IN      NS      ns1.psychetect.com.
gnus.org.               3600    IN      NS      ns2.netfonds.com.

;; ADDITIONAL SECTION:
ns1.netfonds.com.       86400   IN      A       80.91.224.199
ns2.netfonds.com.       86400   IN      A       80.91.224.245

;; Query time: 247 msec
;; SERVER: 80.91.224.245#53(80.91.224.245)
;; WHEN: Mon Apr 12 20:25:36 2010
;; MSG SIZE  rcvd: 193


3) unreacheable autoritative server:

bjorn@canardo:~$ dig ns psychetect.com @a.gtld-servers.net

; <<>> DiG 9.5.1-P3 <<>> ns psychetect.com @a.gtld-servers.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31364
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;psychetect.com.                        IN      NS

;; AUTHORITY SECTION:
psychetect.com.         172800  IN      NS      ns1.psychetect.com.
psychetect.com.         172800  IN      NS      ns1.twisted4life.com.

;; ADDITIONAL SECTION:
ns1.psychetect.com.     172800  IN      A       64.81.60.235
ns1.twisted4life.com.   172800  IN      A       202.157.182.142

;; Query time: 220 msec
;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
;; WHEN: Mon Apr 12 20:26:20 2010
;; MSG SIZE  rcvd: 113

bjorn@canardo:~$ dig ns1.psychetect.com  @64.81.60.235

; <<>> DiG 9.5.1-P3 <<>> ns1.psychetect.com @64.81.60.235
;; global options:  printcmd
;; connection timed out; no servers could be reached





This *will* make the zone unreliable.  And at the moment, the existence of
git.gnus.org depends on whether you happen to ask ns1.netfonds.com or
ns2.netfonds.com.



Bjørn

Re: Gnus Git repository info and comitters: need updated password

[Andreas Schwab]

Ted Zlatanov <tzz@lifelogs.com> writes:

> On Mon, 12 Apr 2010 19:27:05 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 
>
> AS> Ted Zlatanov <tzz@lifelogs.com> writes:
>>> You can look at it read-only right now at http://git.gnus.org/gnus.git
>
> AS> $ host git.gnus.org
> AS> Host git.gnus.org not found: 3(NXDOMAIN)
>
> Sorry, it works here so I don't know why it fails for you:
>
> git.gnus.org has address 80.91.231.55

The nameservers are badly maintained:

$ host git.gnus.org ns1.psychetect.com
host: couldn't get address for 'ns1.psychetect.com': not found
$ host git.gnus.org ns2.netfonds.com
Using domain server:
Name: ns2.netfonds.com
Address: 80.91.224.245#53
Aliases: 

$ host git.gnus.org ns1.netfonds.com
Using domain server:
Name: ns1.netfonds.com
Address: 80.91.224.199#53
Aliases: 

git.gnus.org has address 80.91.231.55

>>> but it may need to be completely redone before it's finalized.  I
>>> imported the history from git://randomsample.de/gnus.git (thanks to
>>> David Engster) but it needs to be verified.  It's 1.6 GB on the server
>
> AS> How did you manage to do that??  A clone should not produce anything
> AS> bigger than the cloned repository.
>
> I didn't remember to repack.

You should not have to do that in the first place.  A simple clone
cannot blow up the repo in such a way.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus Git repository info and comitters: need updated password

[Andreas Schwab]

Ted Zlatanov <tzz@lifelogs.com> writes:

> AS> Your did not use an author file so all authors/commiters are missing
> AS> full names.
>
> Can this be fixed now or do we need a new CVS import?

You can do a filter-branch, but a new import will probably be easier (or
use the repo at repo.or.cz).

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Mon, 12 Apr 2010 20:29:38 +0200 Bjørn Mork <bjorn@mork.no> wrote: 

BM> There are quite a few things wrong with the gnus.org zone:

BM> 1) NS mismatch:
...
BM> 2) authoritative servers not in sync:
...
BM> 3) unreacheable autoritative server:
...
BM> This *will* make the zone unreliable.  And at the moment, the existence of
BM> git.gnus.org depends on whether you happen to ask ns1.netfonds.com or
BM> ns2.netfonds.com.

Thanks, Bjorn.  I didn't notice these problems.  Lars manages the
gnus.org zone so I've CC-ed him.

Ted

Re: Gnus Git repository info and comitters: need updated password

[Andreas Schwab]

Ted Zlatanov <tzz@lifelogs.com> writes:

> You can look at it read-only right now at http://git.gnus.org/gnus.git

$ git clone http://git.gnu.org/gnus.git
Initialized empty Git repository in /home/andreas/src/gnus/tmp/gnus/.git/
fatal: http://git.gnu.org/gnus.git/info/refs not found: did you run git update-server-info on the server?

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Mon, 12 Apr 2010 21:12:56 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 

AS> Ted Zlatanov <tzz@lifelogs.com> writes:
>> You can look at it read-only right now at http://git.gnus.org/gnus.git

AS> $ git clone http://git.gnu.org/gnus.git
AS> Initialized empty Git repository in /home/andreas/src/gnus/tmp/gnus/.git/
AS> fatal: http://git.gnu.org/gnus.git/info/refs not found: did you run git update-server-info on the server?

I did that typo a few times too :)

Ted

Re: Gnus Git repository info and comitters: need updated password

[Andreas Schwab]

Ted Zlatanov <tzz@lifelogs.com> writes:

> On Mon, 12 Apr 2010 21:12:56 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 
>
> AS> Ted Zlatanov <tzz@lifelogs.com> writes:
>>> You can look at it read-only right now at http://git.gnus.org/gnus.git
>
> AS> $ git clone http://git.gnu.org/gnus.git
> AS> Initialized empty Git repository in /home/andreas/src/gnus/tmp/gnus/.git/
> AS> fatal: http://git.gnu.org/gnus.git/info/refs not found: did you run git update-server-info on the server?
>
> I did that typo a few times too :)

:-)

(You should set user.name and user.email, see git-config(1))

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Mon, 12 Apr 2010 20:57:12 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 

AS> Ted Zlatanov <tzz@lifelogs.com> writes:
AS> Your did not use an author file so all authors/commiters are missing
AS> full names.
>> 
>> Can this be fixed now or do we need a new CVS import?

AS> You can do a filter-branch, but a new import will probably be easier (or
AS> use the repo at repo.or.cz).

Can you try http://git.gnus.org/gnus.git again?  I've re-imported it
from repo.or.cz.

I followed this procedure to import (plus an initial test commit) for
both yours and David Engster's repositories:

git remote add -f gnus-cvs-mirror git://repo.or.cz/gnus.git
git merge -s ours --no-commit gnus-cvs-mirror/master
git read-tree --prefix=/ -u gnus-cvs-mirror/master
git commit -m 'merge the Gnus CVS mirror from git://repo.or.cz/gnus.git'

On push, it generated (on the wire and on disk) 1.6 GB of data.  `git
repack; git gc' brought it back down to 34 MB on disk.

The old repo is moved aside so any existing clones will not work.

Ted

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

For those who use the plain http repo 
("git clone http://git.gnus.org/gnus.git"), make sure to remove the old
clone and redo your clone.  I redid it completely on the server last night
(2010-04-13) so it's a clean replay of the repo.or.cz mirror now.

Comitters, if you sent me an updated password it's been added (thanks!).
You can test with (GIT_CURL_VERBOSE is optional):

GIT_SSL_NO_VERIFY=1 GIT_CURL_VERBOSE=1 git clone https://git.gnus.org/gnus.git
cd gnus
git config http.sslVerify false

The third line is necessary or you'll have to prefix all your Git
commands with GIT_SSL_NO_VERIFY=1.  If Lars gets a SSL certificate for
ding.gnus.org it won't be necessary, but I'm OK with it personally.  We
could also install a custom CA but that's IMHO a bigger pain.

If you are new to Git, you'll probably like Magit.  It's a very good
wrapper around basic Git functionality like staging, committing,
pushing/pulling, and ammending.  I use it most of the time and drop to a
shell when needed.  You can also use the vc-dir functionality but that's
much less Git-specific so it may not work for you.

I still consider this experimental so don't rely on it.  We'll probably
go live this week.

Ted

p.s. Remember to also configure your Git user.email and user.name.
Here's my .gitconfig, with some convenient (I'm used to Subversion)
aliases:

% cat ~/.gitconfig               
[user]
        name = Ted Zlatanov
        email = tzz@lifelogs.com
[color]
        diff = auto
        status = auto
        branch = auto
        interactive = auto

[alias]
        st = status
        ci = commit
        co = checkout
        staged = "diff --cached"
        unstaged = diff
        both = "diff HEAD"
        oneline = "log --pretty=oneline"
        amend = "commit --ammend"

Re: Gnus Git repository info and comitters: need updated password

[Andreas Schwab]

Ted Zlatanov <tzz@lifelogs.com> writes:

> I followed this procedure to import (plus an initial test commit) for
> both yours and David Engster's repositories:
>
> git remote add -f gnus-cvs-mirror git://repo.or.cz/gnus.git
> git merge -s ours --no-commit gnus-cvs-mirror/master
> git read-tree --prefix=/ -u gnus-cvs-mirror/master
> git commit -m 'merge the Gnus CVS mirror from git://repo.or.cz/gnus.git'

What's wrong with git clone?  Why do you need to merge anything?

> The old repo is moved aside so any existing clones will not work.

git fetch will work anyway.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus Git repository info and comitters: need updated password

[Romain Francoise]

Ted Zlatanov <tzz@lifelogs.com> writes:

> I still consider this experimental so don't rely on it. We'll
> probably go live this week.

The repository appears to have a single branch (master) and no tags,
is that considered normal?

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Wed, 14 Apr 2010 13:24:15 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 

AS> Ted Zlatanov <tzz@lifelogs.com> writes:
>> I followed this procedure to import (plus an initial test commit) for
>> both yours and David Engster's repositories:
>> 
>> git remote add -f gnus-cvs-mirror git://repo.or.cz/gnus.git
>> git merge -s ours --no-commit gnus-cvs-mirror/master
>> git read-tree --prefix=/ -u gnus-cvs-mirror/master
>> git commit -m 'merge the Gnus CVS mirror from git://repo.or.cz/gnus.git'

AS> What's wrong with git clone?  Why do you need to merge anything?

I thought this was the proper procedure for merging two repositories,
and that `git clone' preserved the upstream master (repo.or.cz) which I
didn't want.  Could you provide instructions that would end up with a
"gnus.git" directory populated properly, to save us all time?  Thanks
for your patience.

On Wed, 14 Apr 2010 13:34:39 +0200 Romain Francoise <romain@orebokech.com> wrote: 

RF> Ted Zlatanov <tzz@lifelogs.com> writes:

>> I still consider this experimental so don't rely on it. We'll
>> probably go live this week.

RF> The repository appears to have a single branch (master) and no tags,
RF> is that considered normal?

It may be an artifact of the way I merged.  If so, sorry for the
inconvenience.

Ted

Re: Gnus Git repository info and comitters: need updated password

[Andreas Schwab]

Ted Zlatanov <tzz@lifelogs.com> writes:

> On Wed, 14 Apr 2010 13:24:15 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 
>
> AS> Ted Zlatanov <tzz@lifelogs.com> writes:
>>> I followed this procedure to import (plus an initial test commit) for
>>> both yours and David Engster's repositories:
>>> 
>>> git remote add -f gnus-cvs-mirror git://repo.or.cz/gnus.git
>>> git merge -s ours --no-commit gnus-cvs-mirror/master
>>> git read-tree --prefix=/ -u gnus-cvs-mirror/master
>>> git commit -m 'merge the Gnus CVS mirror from git://repo.or.cz/gnus.git'
>
> AS> What's wrong with git clone?  Why do you need to merge anything?
>
> I thought this was the proper procedure for merging two repositories,

Which two repositories?  All you want is a copy of the repository, and
git clone does exactly that.

> and that `git clone' preserved the upstream master (repo.or.cz) which I
> didn't want.  Could you provide instructions that would end up with a
> "gnus.git" directory populated properly, to save us all time?  Thanks
> for your patience.

You want to clone a mirror (git clone --mirror).

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Wed, 14 Apr 2010 18:59:58 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 

AS> You want to clone a mirror (git clone --mirror).

OK.  I did that and the new repo has replaced the old faulty one.  Can
you please check?  The log looks much better now.

I removed this from the config:

[remote "origin"]
        fetch = +refs/*:refs/*
        mirror = true
        url = git://repo.or.cz/gnus.git

to reflect that there's no upstream origin.  I think that's the right
approach based on my understanding of the docs.

Thanks
Ted

Re: Gnus Git repository info and comitters: need updated password

[Katsumi Yamaoka]

>>>>> Ted Zlatanov wrote:
> GIT_SSL_NO_VERIFY=1 GIT_CURL_VERBOSE=1 git clone https://git.gnus.org/gnus.git

Did anyone succeed in cloning the writable repo behind the firewall
(or http proxy)?  If so, how?  I haven't made good yet.  Using
80.91.231.55 instead of the host name made no difference, either.
I'll try it at home later.

Re: Gnus Git repository info and comitters: need updated password

[Andreas Schwab]

Ted Zlatanov <tzz@lifelogs.com> writes:

> On Wed, 14 Apr 2010 18:59:58 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 
>
> AS> You want to clone a mirror (git clone --mirror).
>
> OK.  I did that and the new repo has replaced the old faulty one.  Can
> you please check?  The log looks much better now.

Did you change the URL?  http://git.gnus.org/gnus.git no longer exists.
And the DNS entry for git.gnus.org is still unreliable.

> I removed this from the config:
>
> [remote "origin"]
>         fetch = +refs/*:refs/*
>         mirror = true
>         url = git://repo.or.cz/gnus.git
>
> to reflect that there's no upstream origin.  I think that's the right
> approach based on my understanding of the docs.

Aka "git remote rm origin".  Actually it wouldn't really bother anyone.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Thu, 15 Apr 2010 15:50:59 +0900 Katsumi Yamaoka <yamaoka@jpl.org> wrote: 

>>>>>> Ted Zlatanov wrote:
>> GIT_SSL_NO_VERIFY=1 GIT_CURL_VERBOSE=1 git clone https://git.gnus.org/gnus.git

KY> Did anyone succeed in cloning the writable repo behind the firewall
KY> (or http proxy)?  If so, how?  I haven't made good yet.  Using
KY> 80.91.231.55 instead of the host name made no difference, either.
KY> I'll try it at home later.

On Thu, 15 Apr 2010 09:57:54 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 

AS> Ted Zlatanov <tzz@lifelogs.com> writes:

>> On Wed, 14 Apr 2010 18:59:58 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 
>> 
AS> You want to clone a mirror (git clone --mirror).
>> 
>> OK.  I did that and the new repo has replaced the old faulty one.  Can
>> you please check?  The log looks much better now.

AS> Did you change the URL?  http://git.gnus.org/gnus.git no longer exists.
AS> And the DNS entry for git.gnus.org is still unreliable.

I don't control the DNS for gnus.org.  It does, fortunately, work for me:

git clone http://git.gnus.org/gnus.git gnus-read-only

GIT_SSL_NO_VERIFY=1 git clone https://git.gnus.org/gnus.git gnus-full

I think you may need to use the name and not the IP address for SSL, but
I may be wrong.  Try putting the address in /etc/hosts instead of
specifying the IP directly.

Behind a firewall, you can probably use the curl options (in ~/.curlrc)
to control the behavior.  See GIT_CURL_VERBOSE and try to replicate what
it does when it fails.

AS> Aka "git remote rm origin".  Actually it wouldn't really bother anyone.

Thanks for your advice.  I'll leave it out to keep the config shorter,
unless there's a reason to keep it.

I've set up post-receive e-mails to go to me (you can see the config)
while we're testing.  I'll change it to the old cvslog address when I
know that works, too.

Ted

Re: Gnus Git repository info and comitters: need updated password

[Andreas Schwab]

I have updated the repo at repo.or.cz with the latest CVS revisions.
You may want to update the git.gnus.org repo.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus Git repository info and comitters: need updated password

[Andreas Seltenreich]

Andreas Schwab writes:

> I have updated the repo at repo.or.cz with the latest CVS revisions.
> You may want to update the git.gnus.org repo.

I fetched and merged those before committing the fix to gnus.texi.

I also inadvertently wiped all the tags from the git.gnus.org repository
during my fist push[1], but they should be back any minute now...

regards,
andreas

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Fri, 16 Apr 2010 00:54:40 +0200 Andreas Seltenreich <andreas+ding@gate450.dyndns.org> wrote: 

AS> Andreas Schwab writes:
>> I have updated the repo at repo.or.cz with the latest CVS revisions.
>> You may want to update the git.gnus.org repo.

AS> I fetched and merged those before committing the fix to gnus.texi.

AS> I also inadvertently wiped all the tags from the git.gnus.org repository
AS> during my fist push[1], but they should be back any minute now...

I see 3 commits since the April 1 work Andreas did in the git.gnus.org repo:

commit 9354070bf91eb7a0fa030e8c400a23862c1f874e
Author: Andreas Seltenreich <andreas+git@gate450.dyndns.org>
Date:   Thu Apr 15 22:52:55 2010 +0200

commit e108c4f558ea6ef3ac7f5642699cbcf67925a48a
Author: Katsumi Yamaoka <yamaoka@jpl.org>
Date:   Wed Apr 14 23:16:40 2010 +0000

commit b1bcfd02ea8a4680c010f740cfabfd0012b67910
Author: Katsumi Yamaoka <yamaoka@jpl.org>
Date:   Wed Apr 14 14:54:28 2010 +0000

so I think we are in sync.

As the next logical step, I have disabled CVS commits.  The CVS repo is
still available for read-only access.  Please speak up now if you think
we should not switch to the new git.gnus.org repo this weekend.  I will
also modify the Gnus web site to point to the new repo at that time and
start talking with the Emacs developers about synchronizing both ways
with the Emacs Bazaar repo.

Given the popularity of Git and the faded beauty of CVS I don't see a
reason to keep the old CVS repo up past this weekend.

Ted

Re: Gnus Git repository info and comitters: need updated password

[Katsumi Yamaoka]

>>>>> Ted Zlatanov wrote:
> On Thu, 15 Apr 2010 15:50:59 +0900 Katsumi Yamaoka <yamaoka@jpl.org> wrote:
[...]
KY> Did anyone succeed in cloning the writable repo behind the firewall
KY> (or http proxy)?  If so, how?  I haven't made good yet.  Using
KY> 80.91.231.55 instead of the host name made no difference, either.
[...]
> Behind a firewall, you can probably use the curl options (in ~/.curlrc)
> to control the behavior.  See GIT_CURL_VERBOSE and try to replicate what
> it does when it fails.

I did it!  The Gnus Git repo and the Emacs trunk is now synch'd
(the recent changes made in gnus.texi in the emacs-23 branch
will be merged to the trunk later).

First, I found I need setting of the environment variable
`HTTPS_PROXY' rather than `http_proxy':

export HTTPS_PROXY=proxy.example.com:8080

Second, I didn't know git-remote-https (or git-remote-curl) reads
the ~/.netrc file, but it cannot handle password containing SPC.
I use just such a password "PASS WORD", and I found out the only
way to pass it to Git is:

git clone 'https://yamaoka:PASS WORD@git.gnus.org/gnus.git'

But that the ps command exposes it is bad from every point of view.
I'll ask Ted to change it into the one that doesn't contain SPC.

Regards,

Re: Gnus Git repository info and comitters: need updated password

[Didier Verna]

Ted Zlatanov <tzz@lifelogs.com> wrote:

> Comitters, if you sent me an updated password it's been added
> (thanks!). You can test with (GIT_CURL_VERBOSE is optional):
>
> GIT_SSL_NO_VERIFY=1 GIT_CURL_VERBOSE=1 git clone https://git.gnus.org/gnus.git
> cd gnus
> git config http.sslVerify false

Worked here (apart from the fact that I had to mention my name
explicitely in the URL).

-- 
Resistance is futile. You will be jazzimilated.

Scientific site:   http://www.lrde.epita.fr/~didier
Music (Jazz) site: http://www.didierverna.com

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Fri, 16 Apr 2010 15:14:23 +0900 Katsumi Yamaoka <yamaoka@jpl.org> wrote: 

KY> I did it!  The Gnus Git repo and the Emacs trunk is now synch'd
KY> (the recent changes made in gnus.texi in the emacs-23 branch
KY> will be merged to the trunk later).

Nice, thanks.

KY> First, I found I need setting of the environment variable
KY> `HTTPS_PROXY' rather than `http_proxy':

KY> export HTTPS_PROXY=proxy.example.com:8080

KY> Second, I didn't know git-remote-https (or git-remote-curl) reads
KY> the ~/.netrc file, but it cannot handle password containing SPC.
KY> I use just such a password "PASS WORD", and I found out the only
KY> way to pass it to Git is:

KY> git clone 'https://yamaoka:PASS WORD@git.gnus.org/gnus.git'

I'll put this information on the web page as well.

Ted

Re: Gnus Git repository info and comitters: need updated password

[Andreas Schwab]

Btw., you may want to set the receive.denyDeletes and
receive.denyNonFastForwards config options (see git-config(1)) to
prevent accidental damage to the history.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus Git repository info and comitters: need updated password

[Andreas Seltenreich]

I wrote:

> I also inadvertently wiped all the tags from the git.gnus.org repository
> during my first push

I'm still puzzling over the 170k line shell/libcurl/WebDAV log[1] on what
exactly happened.  Here's a recap:

"git ls-remote origin" had sensible output before the push,
listing >600 refs.

,----
| $ git-push --dry-run origin master
| Fetching remote heads...
|   refs/tags/
|   refs/heads/
|   refs/
| updating 'refs/heads/master'
|   from 0000000000000000000000000000000000000000
|   to   9354070bf91eb7a0fa030e8c400a23862c1f874e
| Updating remote server info
`----

That 000... seemed strange, but I dismissed it as an artifact of the --dry-run

,----
| $ git-push origin master
| Fetching remote heads...
|   refs/tags/
|   refs/heads/
|   refs/
| updating 'refs/heads/master'
|   from 0000000000000000000000000000000000000000
|   to   9354070bf91eb7a0fa030e8c400a23862c1f874e
|   C-c C-cRemoving remote locks...
|  -> 130
`----

After about five minutes of no apparent progress I decided to restart
with debug output enabled.

,----
| $ GIT_CURL_VERBOSE=1 git-push -v origin master
| [ 10k lines of debug output stripped ]
`----

After completion, ls-remote listed 2 instead of > 600 refs:

,----
| $ git ls-remote origin
| 9354070bf91eb7a0fa030e8c400a23862c1f874e	HEAD
| 9354070bf91eb7a0fa030e8c400a23862c1f874e	refs/heads/master
`----

The repository I pushed from[2] still contained all tags and heads,
while a freshly cloned one confirmed their lack on git.gnus.org.

I can't find anything in the git manuals that explains the disappearance
of the refs... Am I missing something here?  Hard to believe that
Control-C could cause something like that...

Well, I tried to fix it by explicitly pushing tags and branches:

,----
| GIT_CURL_VERBOSE=1 git-push -v --tags origin master
| GIT_CURL_VERBOSE=1 git-push -v origin origin/*:refs/heads/*
`----

"ls-remote" now listed > 600 refs again, and a fresh clone came with
tags and branches again.

When taking a closer look at the files on http://git.gnus.org/gnus.git
today, I noticed that there is still something amiss: The refs only seem
to exist in the info/refs file.  the refs/{heads,tags} directories are
completely empty.  To my limited git knowledge, this is not a healthy
state since local accesses will not see any refs and wipe the refs in
info/refs on the next run of git-update-server-info.

Maybe this was already the case before my first push and the reason for
the strange behavior of git?

According to the WebDAV-communication[3], the refs/ directory should be
populated by now.  Ted: do you have something in your server logs that
explains why there are no files despite the server's "HTTP/1.1 201
Created" responses?

regards,
andreas

Footnotes: 
[1]  http://gate450.dyndns.org/~andreas/push-debug.txt.gz

[2]  http://gate450.dyndns.org/~andreas/gnus.git

[3]  example:
    > LOCK /gnus.git/refs/heads/v5-10 HTTP/1.1
    User-Agent: git/1.5.6.5
    Host: git.gnus.org
    Accept: */*
    Timeout: Second-600
    Content-Type: text/xml
    Content-Length: 235
    Expect: 100-continue

    < HTTP/1.1 100 Continue
    < HTTP/1.1 200 OK
    < Date: Thu, 15 Apr 2010 23:58:11 GMT
    < Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e DAV/1.0.3 PHP/4.3.10-22
    < Lock-Token: <opaquelocktoken:bf9f18ba-1dd1-11b2-8b53-fb971bf9ad33>
    < Transfer-Encoding: chunked
    < Content-Type: text/xml; charset="utf-8"
    < 
    * Expire cleared
    * Connection #0 to host git.gnus.org left intact
    * Re-using existing connection! (#0) with host git.gnus.org
    * Connected to git.gnus.org (80.91.231.55) port 443 (#0)
    * Server auth using Basic with user 'ansel'
    > PUT /gnus.git/refs/heads/v5-10 HTTP/1.1
    User-Agent: git/1.5.6.5
    Host: git.gnus.org
    Accept: */*
    If: (<opaquelocktoken:bf9f18ba-1dd1-11b2-8b53-fb971bf9ad33>)
    Content-Length: 41
    Expect: 100-continue

    < HTTP/1.1 100 Continue
    < HTTP/1.1 201 Created
    < Date: Thu, 15 Apr 2010 23:58:12 GMT
    < Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e DAV/1.0.3 PHP/4.3.10-22
    < Transfer-Encoding: chunked
    < Content-Type: text/html; charset=iso-8859-1
    < 
    * Expire cleared
    * Connection #0 to host git.gnus.org left intact
        done
    * Re-using existing connection! (#0) with host git.gnus.org
    * Connected to git.gnus.org (80.91.231.55) port 443 (#0)
    * Server auth using Basic with user 'ansel'
    > UNLOCK /gnus.git/refs/heads/v5-10 HTTP/1.1
    User-Agent: git/1.5.6.5
    Host: git.gnus.org
    Accept: */*
    Lock-Token: <opaquelocktoken:bf9f18ba-1dd1-11b2-8b53-fb971bf9ad33>

    < HTTP/1.1 204 No Content
    < Date: Thu, 15 Apr 2010 23:58:12 GMT
    < Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e DAV/1.0.3 PHP/4.3.10-22
    < Content-Type: text/plain; charset=iso-8859-1
    < 

Re: Gnus Git repository info and comitters: need updated password

[Andreas Schwab]

Andreas Seltenreich <andreas+ding@gate450.dyndns.org> writes:

> When taking a closer look at the files on http://git.gnus.org/gnus.git
> today, I noticed that there is still something amiss: The refs only seem
> to exist in the info/refs file.  the refs/{heads,tags} directories are
> completely empty.

The refs are packed, see <http://git.gnus.org/gnus.git/packed-refs>.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus Git repository info and comitters: need updated password

[Andreas Schwab]

Andreas Seltenreich <andreas+ding@gate450.dyndns.org> writes:

>     User-Agent: git/1.5.6.5

You have a very old version of git, perhaps it cannot cope with
packed-refs.  Probably the server needs to be configured with
gc.packrefs=false.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus Git repository info and comitters: need updated password

[Andreas Seltenreich]

Andreas Schwab writes:

> The refs are packed, see <http://git.gnus.org/gnus.git/packed-refs>.

I see - so the remote end is out of suspicion for now.

> You have a very old version of git, perhaps it cannot cope with
> packed-refs.  Probably the server needs to be configured with
> gc.packrefs=false.

I've updated to 1.7.0.5.  Hopefully, the next push will be a bit less
remarkable.

Thanks,
andreas

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Fri, 16 Apr 2010 23:49:07 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 

AS> Btw., you may want to set the receive.denyDeletes and
AS> receive.denyNonFastForwards config options (see git-config(1)) to
AS> prevent accidental damage to the history.

Done, thanks.

Ted

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Sat, 17 Apr 2010 12:29:14 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 

AS> Andreas Seltenreich <andreas+ding@gate450.dyndns.org> writes:
>> User-Agent: git/1.5.6.5

AS> You have a very old version of git, perhaps it cannot cope with
AS> packed-refs.  Probably the server needs to be configured with
AS> gc.packrefs=false.

I'd rather keep the packed refs and ask people to upgrade git, which is
sure to have other benefits as well.  I'll make a mention of this.

Ted

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

I published information on accessing the Gnus repo at
http://git.gnus.org/ so if you want to check it or make suggestions,
please do.

Ted

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Sat, 17 Apr 2010 16:28:14 -0500 Ted Zlatanov <tzz@lifelogs.com> wrote: 

TZ> I published information on accessing the Gnus repo at
TZ> http://git.gnus.org/ so if you want to check it or make suggestions,
TZ> please do.

I also put that page in the Git repo (under www/) and comitted some
other changes in the docs and a few source files to reflect the switch
to Git.

The Makefile still uses CVS heavily for releases but I'd like Reiner to
decide how the release process will work.

Ted

Re: Gnus Git repository info and comitters: need updated password

[Tim Landscheidt]

Ted Zlatanov <tzz@lifelogs.com> wrote:

> TZ> I published information on accessing the Gnus repo at
> TZ> http://git.gnus.org/ so if you want to check it or make suggestions,
> TZ> please do.

> I also put that page in the Git repo (under www/) and comitted some
                                                        ^^^^^^^^
> other changes in the docs and a few source files to reflect the switch
> to Git.

> The Makefile still uses CVS heavily for releases but I'd like Reiner to
> decide how the release process will work.

Even though you are consistent about it: It's
"co*mm*it" :-). I find the "GIT_SSL_NO_VERIFY=1" bit a lit-
tle troubling as the right way(TM) would probably to install
the certificate locally.

  Is the repo "stable" now?

Tim

Re: Gnus Git repository info and comitters: need updated password

[Andreas Schwab]

I think you should be able to include spaces in the password by
enclosing it in double quotes in the .netrc file.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus Git repository info and comitters: need updated password

[Andreas Seltenreich]

Tim Landscheidt writes:

>   Is the repo "stable" now?

Not quite.  Since Ted's push, the packed refs disappeared from the
info/refs file again and a clone via http[1] lacked all tags and
branches except for the master branch.  Maybe somehow
git-update-server-info is not doing its job?

regards,
andreas

Footnotes: 
[1]  tested with git version 1.7.0.5

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Sat, 17 Apr 2010 23:26:02 +0000 Tim Landscheidt <tim@tim-landscheidt.de> wrote: 

TL> Even though you are consistent about it: It's
TL> "co*mm*it" :-). I find the "GIT_SSL_NO_VERIFY=1" bit a lit-
TL> tle troubling as the right way(TM) would probably to install
TL> the certificate locally.

I fixed that typo in www/git.gnus.org/index.html.  Thanks.

As far as the SSL certificate, similarly to the DNS issues, I don't run
the gnus.org domain so when Lars has the time to address it he will.

On Sun, 18 Apr 2010 11:51:34 +0200 Andreas Seltenreich <andreas+ding@gate450.dyndns.org> wrote: 

AS> Tim Landscheidt writes:

>> Is the repo "stable" now?

AS> Not quite.  Since Ted's push, the packed refs disappeared from the
AS> info/refs file again and a clone via http[1] lacked all tags and
AS> branches except for the master branch.  Maybe somehow
AS> git-update-server-info is not doing its job?

The repo is stable AFAIK.  I can pull an update I've committed; all the
branches and tags show up on a new HTTP clone and on existing HTTP
clones.  Andreas, I'm not sure why it's not working for you.  I'm on
git version 1.7.0.4.

I ran `git repack; git gc' which must have caused this packed ref
cleanup.  I can't find advice on how often to run it (the man page says
we are "encouraged to run this task on a regular basis" but that could
be once per millenium); should it be once a month or once a year given
our 3-4 commits per week?  I've left it monthly for now.

Anyhow, the refs got repacked because gc.packrefs is true by default.  I
set it to "nobare" instead and this shouldn't happen again IIUC.

*** I'd like to make the new Git repo official as of today unless there
are objections. ***

I don't know how soon www.gnus.org can be updated because it's managed
by Lars outside what I can edit, but I think disabling the Gnus CVS
repository will be a pretty good way to indicate it's no longer active.
I can always re-enable it if there's a need.  So the main web site will
be inaccurate for some period, that's all.  I think with the proper
announcement on the Emacs newsgroups+mailing lists and the wiki we can
cope with that.

On Sun, 18 Apr 2010 10:47:15 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 

AS> I think you should be able to include spaces in the password by
AS> enclosing it in double quotes in the .netrc file.

At least with 

curl 7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15

it doesn't work.  I just tried it.

Ted

Re: Gnus Git repository info and comitters: need updated password

[Leo]

On 2010-04-18 12:53 +0100, Ted Zlatanov wrote:
> *** I'd like to make the new Git repo official as of today unless there
> are objections. ***

I am so glad to see gnus choose a good dvc like git. Thank you.

> I don't know how soon www.gnus.org can be updated because it's managed
> by Lars outside what I can edit, but I think disabling the Gnus CVS
> repository will be a pretty good way to indicate it's no longer active.
> I can always re-enable it if there's a need.  So the main web site will
> be inaccurate for some period, that's all.  I think with the proper
> announcement on the Emacs newsgroups+mailing lists and the wiki we can
> cope with that.

May it be possible for some one to take over maintenance from Lars?

Leo

Re: Gnus Git repository info and comitters: need updated password

[Andreas Seltenreich]

[-- Attachment #1: Type: text/plain, Size: 2508 bytes --]

Ted Zlatanov writes:

> On Sun, 18 Apr 2010 11:51:34 +0200 Andreas Seltenreich <andreas+ding@gate450.dyndns.org> wrote: 
>
> AS> Tim Landscheidt writes:
>
>>> Is the repo "stable" now?
>
> AS> Not quite.  Since Ted's push, the packed refs disappeared from the
> AS> info/refs file again and a clone via http[1] lacked all tags and
> AS> branches except for the master branch.  Maybe somehow
> AS> git-update-server-info is not doing its job?
>
> The repo is stable AFAIK.  I can pull an update I've committed; all the
> branches and tags show up on a new HTTP clone and on existing HTTP
> clones.  Andreas, I'm not sure why it's not working for you.  I'm on
> git version 1.7.0.4.

Did you happen to do the test clone after 10:12 UTC?  I've set up a
cronjob on friday to monitor some directories on git.gnus.org to get
more clues while debugging (output attached).  The info/refs file
oscillated between 1k and 32k (i.e., including the packed-refs or not).
It appears to shrink on each push and is reset to 32k at 10:12 UTC each
day.  (Maybe a cronjob on your side?)  This correlates with whether I
see the packed-refs in a fresh clone[1] or not.

I checked locally to confirm that git-update-server-info groks packed
refs and updates the info/refs file properly.  A hook running
git-update-server-info is also activated on git.gnus.org, but I guess
those hooks aren't run at all on WebDAV accesses?

Here's some more evidence from the log mentioned yesterday[2] that
pushing placed a bogus (see file size) info/refs file:

,----
| > PUT /gnus.git/info/refs HTTP/1.1
| User-Agent: git/1.5.6.5
| Host: git.gnus.org
| Accept: */*
| If: (<opaquelocktoken:1eb4020a-1dd2-11b2-8b53-fb971bf9ad33>)
| Content-Length: 59
| Expect: 100-continue
`----

I haven't tested to push yet with the newer git, but as the release
notes say that packed-refs are supported since 1.4.x, I'm not convinced
that a newer git behaves differently.

I see some ways to go from here:

- Use smart protocols (git/ssh) instead of dumb ones (http/webdav).
  This way the info/* files aren't needed.  As a bonus, the
  communication is much more efficient.

- Make sure the hooks are run so git-update-server-info can generate a
  valid info/refs no matter what git PUT there through WebDAV.

- Fix git to PUT a proper info/refs file.

- Get rid of packed-refs, as suggested by Andreas, may also work.

regards,
andreas

Footnotes: 
[1]  also "git ls-remote", a faster way to check

[2]  http://gate450.dyndns.org/~andreas/push-debug.txt.gz


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 4123 bytes --]


*** 2cbe5f2d	2010-04-16 23:24:01.000000000 +0200
--- 2cbe5f2d.0	2010-04-17 13:00:01.000000000 +0200
***************
*** 3,10 ****
        Name                    Last modified       Size  Description
  -----------------------------------------------------------------------------------------------
  
! [DIR] Parent Directory        16-Apr-2010 12:18      -
  [   ] exclude                 15-Apr-2010 04:53     1k
! [   ] refs                    16-Apr-2010 12:18    36k
  
  -----------------------------------------------------------------------------------------------
--- 3,10 ----
        Name                    Last modified       Size  Description
  -----------------------------------------------------------------------------------------------
  
! [DIR] Parent Directory        17-Apr-2010 12:12      -
  [   ] exclude                 15-Apr-2010 04:53     1k
! [   ] refs                    17-Apr-2010 12:12    36k
  
  -----------------------------------------------------------------------------------------------
*** 2cbe5f2d	2010-04-17 13:00:01.000000000 +0200
--- 2cbe5f2d.0	2010-04-18 00:00:02.000000000 +0200
***************
*** 3,10 ****
        Name                    Last modified       Size  Description
  -----------------------------------------------------------------------------------------------
  
! [DIR] Parent Directory        17-Apr-2010 12:12      -
  [   ] exclude                 15-Apr-2010 04:53     1k
! [   ] refs                    17-Apr-2010 12:12    36k
  
  -----------------------------------------------------------------------------------------------
--- 3,10 ----
        Name                    Last modified       Size  Description
  -----------------------------------------------------------------------------------------------
  
! [DIR] Parent Directory        17-Apr-2010 23:00      -
  [   ] exclude                 15-Apr-2010 04:53     1k
! [   ] refs                    17-Apr-2010 23:57     1k
  
  -----------------------------------------------------------------------------------------------


*** 2cbe5f2d	2010-04-18 00:00:02.000000000 +0200
--- 2cbe5f2d.0	2010-04-18 13:00:01.000000000 +0200
***************
*** 3,10 ****
        Name                    Last modified       Size  Description
  -----------------------------------------------------------------------------------------------
  
! [DIR] Parent Directory        17-Apr-2010 23:00      -
  [   ] exclude                 15-Apr-2010 04:53     1k
! [   ] refs                    17-Apr-2010 23:57     1k
  
  -----------------------------------------------------------------------------------------------
--- 3,10 ----
        Name                    Last modified       Size  Description
  -----------------------------------------------------------------------------------------------
  
! [DIR] Parent Directory        18-Apr-2010 12:12      -
  [   ] exclude                 15-Apr-2010 04:53     1k
! [   ] refs                    18-Apr-2010 12:12    36k
  
  -----------------------------------------------------------------------------------------------
*** 2cbe5f2d	2010-04-18 13:00:01.000000000 +0200
--- 2cbe5f2d.0	2010-04-18 14:00:01.000000000 +0200
***************
*** 3,10 ****
        Name                    Last modified       Size  Description
  -----------------------------------------------------------------------------------------------
  
! [DIR] Parent Directory        18-Apr-2010 12:12      -
  [   ] exclude                 15-Apr-2010 04:53     1k
! [   ] refs                    18-Apr-2010 12:12    36k
  
  -----------------------------------------------------------------------------------------------
--- 3,10 ----
        Name                    Last modified       Size  Description
  -----------------------------------------------------------------------------------------------
  
! [DIR] Parent Directory        18-Apr-2010 13:41      -
  [   ] exclude                 15-Apr-2010 04:53     1k
! [   ] refs                    18-Apr-2010 13:18     1k
  
  -----------------------------------------------------------------------------------------------

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Sun, 18 Apr 2010 15:06:16 +0200 Andreas Seltenreich <andreas+ding@gate450.dyndns.org> wrote: 

AS> Did you happen to do the test clone after 10:12 UTC?  I've set up a
AS> cronjob on friday to monitor some directories on git.gnus.org to get
AS> more clues while debugging (output attached).  The info/refs file
AS> oscillated between 1k and 32k (i.e., including the packed-refs or not).
AS> It appears to shrink on each push and is reset to 32k at 10:12 UTC each
AS> day.  (Maybe a cronjob on your side?)  This correlates with whether I
AS> see the packed-refs in a fresh clone[1] or not.

I think the `git repack; git gc' cronjob was the problem.  It ran every
day at that time as you noted.  I made it run monthly instead and in
addition, as I said, disabled the gc.packrefs option.  So tomorrow you
shouldn't experience this anymore.  I hope.

AS> I checked locally to confirm that git-update-server-info groks packed
AS> refs and updates the info/refs file properly.  A hook running
AS> git-update-server-info is also activated on git.gnus.org, but I guess
AS> those hooks aren't run at all on WebDAV accesses?

That must be the problem.  There's little information online about what
to do in this case but I can't enable SSH access to that machine so
whatever we do must work through WebDAV plus custom scripts.  Any
references are appreciated.

AS> I see some ways to go from here:

AS> - Use smart protocols (git/ssh) instead of dumb ones (http/webdav).
AS>   This way the info/* files aren't needed.  As a bonus, the
AS>   communication is much more efficient.

git:// is a read-only protocol IIRC, so it must be SSH (not an option)
or WebDAV.

AS> - Make sure the hooks are run so git-update-server-info can generate a
AS>   valid info/refs no matter what git PUT there through WebDAV.

Sounds like the best option.

AS> - Fix git to PUT a proper info/refs file.

I don't think this can work if it must change git itself.

AS> - Get rid of packed-refs, as suggested by Andreas, may also work.

I don't want to disable those but if we must...

Ted

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Sun, 18 Apr 2010 13:10:17 +0100 Leo <sdl.web@gmail.com> wrote: 

>> I don't know how soon www.gnus.org can be updated because it's managed
>> by Lars outside what I can edit, but I think disabling the Gnus CVS
>> repository will be a pretty good way to indicate it's no longer active.
>> I can always re-enable it if there's a need.  So the main web site will
>> be inaccurate for some period, that's all.  I think with the proper
>> announcement on the Emacs newsgroups+mailing lists and the wiki we can
>> cope with that.

L> May it be possible for some one to take over maintenance from Lars?

So far Lars is not interested in this option and I'm not eager to run
yet another web site.  I haven't heard from Reiner Steib in ages so I
don't know his position.  

IMO it's best to set up an automatic publisher of the www.gnus.org and
git.gnus.org sites straight from Git (which is why I set up the www/
directory).  That will work regardless of who is the web site maintainer
and will take the publishing burden off that person.  Git is much better
than CVS or SVN for keeping a web site, so we can simply set up a
"for-web-publish" branch and commit into it when a www/ change is ready
to go live.

Ted

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Sun, 18 Apr 2010 10:20:44 -0500 Ted Zlatanov <tzz@lifelogs.com> wrote: 

TZ> On Sun, 18 Apr 2010 15:06:16 +0200 Andreas Seltenreich <andreas+ding@gate450.dyndns.org> wrote: 

AS> I checked locally to confirm that git-update-server-info groks packed
AS> refs and updates the info/refs file properly.  A hook running
AS> git-update-server-info is also activated on git.gnus.org, but I guess
AS> those hooks aren't run at all on WebDAV accesses?

TZ> That must be the problem.  There's little information online about what
TZ> to do in this case but I can't enable SSH access to that machine so
TZ> whatever we do must work through WebDAV plus custom scripts.  Any
TZ> references are appreciated.

This must be why the post-receive e-mail hook is also not running, it
dawns on me.  I have to figure this out so the usual commit e-mails can
go out.

A little research tells me about git-http-backend.  Should I be using
that instead of straight WebDAV?  I don't know if it will work under
Apache 1.x so I have to play with it today.

Thanks
Ted

Re: Gnus Git repository info and comitters: need updated password

[Andreas Seltenreich]

Ted Zlatanov writes:

> AS> I checked locally to confirm that git-update-server-info groks packed
> AS> refs and updates the info/refs file properly.  A hook running
> AS> git-update-server-info is also activated on git.gnus.org, but I guess
> AS> those hooks aren't run at all on WebDAV accesses?
>
> TZ> That must be the problem.  There's little information online about what
> TZ> to do in this case but I can't enable SSH access to that machine so
> TZ> whatever we do must work through WebDAV plus custom scripts.  Any
> TZ> references are appreciated.

I'm sure one could improvise a script to be triggered after some WebDAV
request.  Maybe matching with mod_rewrite and filtering through CGI?
That'd be rather messy though...

> This must be why the post-receive e-mail hook is also not running, it
> dawns on me.  I have to figure this out so the usual commit e-mails can
> go out.

I also have the impression that WebDAV won't care about the safety
configuration settings Andreas suggested.

> A little research tells me about git-http-backend.  Should I be using
> that instead of straight WebDAV?  I don't know if it will work under
> Apache 1.x so I have to play with it today.

Sounds very promising.  It uses plain CGI, so I don't see problems with
the old apache.  According to the docs, it should also work nicely with
the existing BasicAuth credentials for write access.  Being a "smart
protocol", it should be more efficient as well.  I'm still shivering
from the 7000 WebDAV-Requests git made during that short debug
session...

regards,
andreas

Gnus, git, www.gnus.org (was: Gnus Git repository info and comitters: need updated password)

[Reiner Steib]

Ted Zlatanov <tzz <at> lifelogs.com> writes:

> On Sun, 18 Apr 2010 13:10:17 +0100 Leo <sdl.web <at> gmail.com> wrote: 
> 
> >> I don't know how soon www.gnus.org can be updated because it's managed
> >> by Lars outside what I can edit, but I think disabling the Gnus CVS
> >> repository will be a pretty good way to indicate it's no longer active.
> >> I can always re-enable it if there's a need.  [...]
> 
> L> May it be possible for some one to take over maintenance from Lars?
> 
> So far Lars is not interested in this option and I'm not eager to run
> yet another web site.  I haven't heard from Reiner Steib in ages so I
> don't know his position.  

Just a sign of life from me...  I'm away from my regular internet connection and
will be away for one week (or more if the vulcano ashes stays?). The time before
I was quite busy, both at work and in private life.

> IMO it's best to set up an automatic publisher of the www.gnus.org and
> git.gnus.org sites straight from Git (which is why I set up the www/
> directory).  That will work regardless of who is the web site maintainer
> and will take the publishing burden off that person.  

I think the whole web site should be in the repository (like on
savannah.gnu.org), I already suggested this to Lars (maybe a year ago).

Please try to make sure to update the web pages WRT cvs when doing the official
switch. Do you intend to sync from git to cvs?

WRT to the switch to some other VC system: I'd prefer not to have a different
one than for Emacs, but well...

BTW, http://git.gnus.org says:
| The comitter should also have a ~/.netrc file that says
| machine git.gnus.org login yourlogin password yourpassword

Is it really necessary to store the *unencrypted* password in .netrc?

Bye, Reiner

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Sun, 18 Apr 2010 18:35:26 +0200 Andreas Seltenreich <andreas+ding@gate450.dyndns.org> wrote: 

AS> Sounds very promising.  It uses plain CGI, so I don't see problems with
AS> the old apache.  According to the docs, it should also work nicely with
AS> the existing BasicAuth credentials for write access.  Being a "smart
AS> protocol", it should be more efficient as well.  I'm still shivering
AS> from the 7000 WebDAV-Requests git made during that short debug
AS> session...

Unfortunately it requires lots of Apache 2.x specific things, according
to the HOWTOs I found, so I'll just set up a 2.x server on git.gnus.org
(it's a separate IP so it won't interfere with the existing 1.x
servers on that machine).

On Sun, 18 Apr 2010 21:04:10 +0000 (UTC) Reiner Steib <reiner.steib@gmx.de> wrote: 

>> IMO it's best to set up an automatic publisher of the www.gnus.org and
>> git.gnus.org sites straight from Git (which is why I set up the www/
>> directory).  That will work regardless of who is the web site maintainer
>> and will take the publishing burden off that person.  

RS> I think the whole web site should be in the repository (like on
RS> savannah.gnu.org), I already suggested this to Lars (maybe a year ago).

With the git-http-backend we can set up auto-publishing so it can all
Just Work.  Do you want it automatic immediate, scheduled hourly/daily,
or manual by you and me?

You will have to change the Gnus release procedure since it's very
CVS-centric but I think it will be simpler and easier as well.

RS> Please try to make sure to update the web pages WRT cvs when doing the official
RS> switch. Do you intend to sync from git to cvs?

No, I think CVS should be shut off.  It's a waste of time to maintain
CVS today IMO.  If you disagree, tell me why :)

CVS is already disabled for commits so until www.gnus.org is updated we
can keep it running but without any new updates.  I think that's an
acceptable situation.

There's git-cvsserver as well.  I'm opposed to providing that but will
listen if there's a reason to do so.

RS> WRT to the switch to some other VC system: I'd prefer not to have a different
RS> one than for Emacs, but well...

Honestly I wish the Emacs maintainers the best with Bazaar, but I don't
want to run a Bazaar repository.  I hope this doesn't become an issue
with you or them.

RS> BTW, http://git.gnus.org says:
RS> | The comitter should also have a ~/.netrc file that says
RS> | machine git.gnus.org login yourlogin password yourpassword

RS> Is it really necessary to store the *unencrypted* password in .netrc?

I don't believe curl supports encrypting the netrc.  Maybe someone more
knowledgeable can tell us if that is planned for the future.  As you
know I've always pushed people to encrypt their authinfo file so this
situation is unpleasant to me as well.  These passwords are also
crypt-ed on the server, which is not a very secure algorithm, and of
course we're going against a self-signed SSL certificate.  I'd rather
have used SSH but that's just not an option until and if Lars approves
it.  So as with DNS and the SSL certificate, we'll wait for his decision.

Ted

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Sun, 18 Apr 2010 18:37:18 -0500 Ted Zlatanov <tzz@lifelogs.com> wrote: 

TZ> Unfortunately it requires lots of Apache 2.x specific things, according
TZ> to the HOWTOs I found, so I'll just set up a 2.x server on git.gnus.org
TZ> (it's a separate IP so it won't interfere with the existing 1.x
TZ> servers on that machine).

OK, this is done.  The same instructions as before are valid, but now
git-http-backend is used and thus "smart" clients will work much faster.
Apache 2 was not too bad to set up, but I had to modify the existing
Apache 1 configuration a little.  http://git.gnus.org still serves the
index.html so there's a good starting point for new users.

I tested that git clone, pull, and push work with the new setup.  Push
only works with the committer-only https://git.gnus.org address.
Everything appears much faster.

Commit e-mails are going to cvslog@quimby.gnus.org and end up logged
into the proper (gnus.cvslog mailing list, etc.) channels.  I tested
those too.

I've set gc.packrefs to true.  Since this repo will be served by
git-http-backend we should be OK with that, IIUC.

I considered setting up a web interface for browsing but would rather
leave things simple and easy to understand.  Also I don't want to burden
the web server further.

Unless there are problems, this is becoming official as of tomorrow and
I'll send the announcements.

Ted

Re: Gnus Git repository info and comitters: need updated password

[James Cloos]

>>>>> "TZ" == Ted Zlatanov <tzz@lifelogs.com> writes:

TZ> I considered setting up a web interface for browsing but would
TZ> rather leave things simple and easy to understand.  Also I don't
TZ> want to burden the web server further.

Cgit has proven fast and easy on sites like fdo.

-JimC
-- 
James Cloos <cloos@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

Re: Gnus, git, www.gnus.org

[Reiner Steib]

Hi Ted,

could you describe from which source (in which way) the git.gnus.org repository
has been created?

(a) Direct conversion (cvs -> git) from cvs.gnus.org (on the server?)

(b) clone of David Engster's git repo

(c) clone of repo.or.cz?  Which is controlled by Andreas Schwab?

(d) something else

In case of (b) or (c), had anyone else beside David or Andreas write access to
those repositories?  Sorry for being extra paranoid.

Bye, Reiner

Re: Gnus, git, www.gnus.org

[Ted Zlatanov]

On Mon, 19 Apr 2010 17:49:41 +0000 (UTC) Reiner Steib <reiner.steib@gmx.de> wrote: 

RS> could you describe from which source (in which way) the git.gnus.org repository
RS> has been created?

RS> (a) Direct conversion (cvs -> git) from cvs.gnus.org (on the server?)

This had issues I recall, some of the CVS history was corrupted.

RS> (b) clone of David Engster's git repo

RS> (c) clone of repo.or.cz?  Which is controlled by Andreas Schwab?

I used repo.or.cz in the end.

RS> (d) something else

RS> In case of (b) or (c), had anyone else beside David or Andreas write access to
RS> those repositories?  Sorry for being extra paranoid.

I did a diff against a checkout of the CVS repo and saw nothing
suspicious.  The commit log looked fine too.  AFAIK Andreas has been
careful with his repo which is why I used it (David's repo was fine but
didn't have the authors correctly).  This saved me many hours of work.

Andreas can comment on repo.or.cz write access.

Ted

Re: Gnus, git, www.gnus.org

[Andreas Schwab]

Ted Zlatanov <tzz@lifelogs.com> writes:

> Andreas can comment on repo.or.cz write access.

See <http://repo.or.cz/editproj.cgi?name=gnus.git>.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus, git, www.gnus.org

[Ted Zlatanov]

On Mon, 19 Apr 2010 21:21:30 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 

AS> Ted Zlatanov <tzz@lifelogs.com> writes:
>> Andreas can comment on repo.or.cz write access.

AS> See <http://repo.or.cz/editproj.cgi?name=gnus.git>.

Thanks, Andreas.

As I said, I looked Andreas' repo over and didn't find discrepancies,
using diff and checking the commits.  The likelihood of Andreas or
someone from repo.or.cz corrupting or infecting the source,
intentionally or not, is pretty low so I didn't invest more than 1 hour
in this.

Reiner, the CVS repo is still available and you can check a few branches
and tags manually.  Maybe someone is interested in automating this, but
I won't be able to do it.  I won't shut CVS off until you tell me you're
satisfied with the conversion.

Thanks
Ted

Re: Gnus, git, www.gnus.org

[Tim Landscheidt]

Ted Zlatanov <tzz@lifelogs.com> wrote:

> RS> could you describe from which source (in which way) the git.gnus.org repository
> RS> has been created?

> RS> (a) Direct conversion (cvs -> git) from cvs.gnus.org (on the server?)

> This had issues I recall, some of the CVS history was corrupted.

> RS> (b) clone of David Engster's git repo

> RS> (c) clone of repo.or.cz?  Which is controlled by Andreas Schwab?

> I used repo.or.cz in the end.

> RS> (d) something else

> RS> In case of (b) or (c), had anyone else beside David or Andreas write access to
> RS> those repositories?  Sorry for being extra paranoid.

> I did a diff against a checkout of the CVS repo and saw nothing
> suspicious.  The commit log looked fine too.  AFAIK Andreas has been
> careful with his repo which is why I used it (David's repo was fine but
> didn't have the authors correctly).  This saved me many hours of work.
> [...]

Did you only diff HEAD? Why wasn't it possible to replicate
the steps Andreas had taken for repo.or.cz at gnus.org?

  Don't get me wrong: I have high regards for everyone try-
ing to get rid of CVS and appreciate their efforts.

Tim

Re: Gnus Git repository info and comitters: need updated password

[Ted Zlatanov]

On Mon, 19 Apr 2010 02:12:42 -0400 James Cloos <cloos@jhcloos.com> wrote: 

>>>>>> "TZ" == Ted Zlatanov <tzz@lifelogs.com> writes:
TZ> I considered setting up a web interface for browsing but would
TZ> rather leave things simple and easy to understand.  Also I don't
TZ> want to burden the web server further.

JC> Cgit has proven fast and easy on sites like fdo.

Thanks for the hint.  I set it up and mentioned it on the web page:
http://git.gnus.org/cgit/gnus.git/

It's FAST and you can make a tarball/zipfile of any tag or branch.  I
like it.

Ted

Re: Gnus, git, www.gnus.org

[Ted Zlatanov]

On Mon, 19 Apr 2010 23:28:14 +0000 Tim Landscheidt <tim@tim-landscheidt.de> wrote: 

TL> Did you only diff HEAD? 

No, I also checked the history and did a few random checks.  But I
didn't invest much time in verification.

TL> Why wasn't it possible to replicate the steps Andreas had taken for
TL> repo.or.cz at gnus.org?

I don't think it's necessary; his repo was accurate and already done.

As I said, if you or anyone else wants to confirm the conversion, please
do.  I'm satisfied that it is correct.

Thanks
Ted

Re: Gnus, git, www.gnus.org

[Sivaram Neelakantan]

Ted Zlatanov <tzz@lifelogs.com> writes:

Not sure whether this is the right thread to post it about....

[snipped 18 lines]

/cygdrive/c/gnu/elisp/gnus-cvs
$ ls
CVS/      pgg/      ChangeLog    README          configure*     mkinstalldirs*
contrib/  smilies/  GNUS-NEWS*   aclocal.m4      configure.in*  todo*
etc/      texi/     Makefile     config.log*     install-sh*
lisp/     COPYING   Makefile.in  config.status*  make.bat
$ cd -
/cygdrive/c/gnu/elisp/gnusgit/gnus
$ ls
contrib/  texi/    ChangeLog    README        install-sh*     todo
etc/      www/     GNUS-NEWS    aclocal.m4    make.bat
lisp/     COPYING  Makefile.in  configure.in  mkinstalldirs*

The git repository seems to be missing the configure script, among
others? 

 sivaram
 -- 

Re: Gnus, git, www.gnus.org

[Andreas Schwab]

Sivaram Neelakantan <nsivaram.net@gmail.com> writes:

> The git repository seems to be missing the configure script

For some reason it was missing from the tarball of the CVS repository
that I used as the base during conversion, and since it was last
modified more than 2 years ago I didn't notice anything during the
incremental updates.

> among others?

Your checkout is not clean.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus, git, www.gnus.org

[Ted Zlatanov]

On Thu, 22 Apr 2010 21:48:00 +0200 Andreas Schwab <schwab@linux-m68k.org> wrote: 

AS> Sivaram Neelakantan <nsivaram.net@gmail.com> writes:
>> The git repository seems to be missing the configure script

AS> For some reason it was missing from the tarball of the CVS repository
AS> that I used as the base during conversion, and since it was last
AS> modified more than 2 years ago I didn't notice anything during the
AS> incremental updates.

I didn't notice it either, sorry.  I committed a new version generated
with Autoconf 2.65 (the old one used 2.61 so this should be an
improvement).  Please let me know if it works for you.

Many projects actually leave running `autoconf' up to the user when the
project is checked out of the VCS (while release tarballs will have the
generated code).  I wonder if that makes sense for Gnus as well; we
could undo my commit and revise the README accordingly.  I have no preference.

Thanks
Ted

Re: Gnus, git, www.gnus.org

[Harry Putnam]

Ted Zlatanov <tzz@lifelogs.com> writes:

> Many projects actually leave running `autoconf' up to the user when
> the project is checked out of the VCS (while release tarballs will
> have the generated code).  I wonder if that makes sense for Gnus as
> well; we could undo my commit and revise the README accordingly.  I
> have no preference.

That was actually how gnus was once packaged if I remember correctly.

Someone here will know for sure,,, but I think around quassia or a
little earlier, users were expected to generate their own .configure.

But I may be remembering emacs... being that way.

Seems like it was more involved back then,,,  modern aclocal makes
it pretty easy...

Re: Gnus, git, www.gnus.org

[Russ Allbery]

Harry Putnam <reader@newsguy.com> writes:

> Seems like it was more involved back then,,, modern aclocal makes it
> pretty easy...

Yeah, mostly you just run autoreconf and everything works these days.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

Re: Gnus, git, www.gnus.org

[Sivaram Neelakantan]

Andreas Schwab <schwab@linux-m68k.org> writes:

> Sivaram Neelakantan <nsivaram.net@gmail.com> writes:

[snipped 10 lines]

> Your checkout is not clean.

Why?  All I did was a git clone and then gc --aggressive, as was
mentioned in this thread.  and I think the object count was the same.
Git didn't die or throw any messages.

OR better still, how do I now check the integrity of the cloned repo,
if the checkout was not clean as you say?

[snipped 3 lines]


 sivaram
 -- 

Re: Gnus Git repository info and comitters: need updated password

[Tim Landscheidt]

Ted Zlatanov <tzz@lifelogs.com> wrote:

> TL> Even though you are consistent about it: It's
> TL> "co*mm*it" :-). I find the "GIT_SSL_NO_VERIFY=1" bit a lit-
> TL> tle troubling as the right way(TM) would probably to install
> TL> the certificate locally.

> I fixed that typo in www/git.gnus.org/index.html.  Thanks.

> As far as the SSL certificate, similarly to the DNS issues, I don't run
> the gnus.org domain so when Lars has the time to address it he will.
> [...]

It seems you misinterpreted me: Until Lars can install a
certificate signed by one of the usual suspects I think the
right way(TM) would be that you should install the certifi-
cate locally (on your client) instead of just not verifying
it at all.

Tim

Re: Gnus, git, www.gnus.org

[Bjørn Mork]

Ted Zlatanov <tzz@lifelogs.com> writes:

> I didn't notice it either, sorry.  I committed a new version generated
> with Autoconf 2.65 (the old one used 2.61 so this should be an
> improvement).  Please let me know if it works for you.

You probably want to remove configure from .gitignore then.


Bjørn

Re: Gnus, git, www.gnus.org

[Andreas Schwab]

Sivaram Neelakantan <nsivaram.net@gmail.com> writes:

> Andreas Schwab <schwab@linux-m68k.org> writes:
>
>> Sivaram Neelakantan <nsivaram.net@gmail.com> writes:
>
> [snipped 10 lines]
>
>> Your checkout is not clean.
>
> Why?

I was talking about your CVS checkout, the other extra files were not
under version control.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Gnus, git, www.gnus.org

[Ted Zlatanov]

On Fri, 23 Apr 2010 12:00:39 +0200 Bjørn Mork <bjorn@mork.no> wrote: 

BM> Ted Zlatanov <tzz@lifelogs.com> writes:
>> I didn't notice it either, sorry.  I committed a new version generated
>> with Autoconf 2.65 (the old one used 2.61 so this should be an
>> improvement).  Please let me know if it works for you.

BM> You probably want to remove configure from .gitignore then.

Applied, thanks for the catch.

Ted

Re: Gnus, git, www.gnus.org

[Greg Troxel]

[-- Attachment #1: Type: text/plain, Size: 790 bytes --]


Ted Zlatanov <tzz@lifelogs.com> writes:

> On Fri, 23 Apr 2010 12:00:39 +0200 Bjørn Mork <bjorn@mork.no> wrote: 
>
> BM> Ted Zlatanov <tzz@lifelogs.com> writes:
>>> I didn't notice it either, sorry.  I committed a new version generated
>>> with Autoconf 2.65 (the old one used 2.61 so this should be an
>>> improvement).  Please let me know if it works for you.
>
> BM> You probably want to remove configure from .gitignore then.
>
> Applied, thanks for the catch.

Why is a generated file even checked in?  It seems normal practice is
for cvs/svn/git to not have any of that, and to generate it for
tarballs.  I usually see "bootstrap.sh" or "autogen.sh" that will run
autoconf/aclocal/automake/etc.  Hardly anyone who can deal with git has
trouble with autoconf :-)


[-- Attachment #2: Type: application/pgp-signature, Size: 194 bytes --]

SSL certificate issues for git.gnus.org (was: Gnus Git repository info and comitters: need updated password)

[Ted Zlatanov]

On Fri, 23 Apr 2010 09:54:03 +0000 Tim Landscheidt <tim@tim-landscheidt.de> wrote: 

TL> Ted Zlatanov <tzz@lifelogs.com> wrote:
>> As far as the SSL certificate, similarly to the DNS issues, I don't run
>> the gnus.org domain so when Lars has the time to address it he will.
>> [...]

TL> It seems you misinterpreted me: Until Lars can install a certificate
TL> signed by one of the usual suspects I think the right way(TM) would
TL> be that you should install the certificate locally (on your client)
TL> instead of just not verifying it at all.

No, I understood you but didn't (at the time) think it was necessary.
Whether it's necessary really depends on how soon Lars can get the
certificate.

Lars: you can get the git.gnus.org certificate for free from
https://www.godaddy.com/gdshop/ssl/ssl_opensource.asp if you fill out
the form.  Get one for gnus.org as well while you're there.  You could
have me fill it in but then I need to be listed as the web admin of
gnus.org (plus see my previous request to let me manage that web site,
which would also be a good idea at this time).

For those who want to, http://curl.haxx.se/docs/sslcerts.html has
instructions for installing the current git.gnus.org self-signed
certificate.

Thanks
Ted

Re: Gnus, git, www.gnus.org

[Ted Zlatanov]

On Fri, 23 Apr 2010 09:08:55 -0400 Greg Troxel <gdt@work.lexort.com> wrote: 

GT> Ted Zlatanov <tzz@lifelogs.com> writes:

>> On Fri, 23 Apr 2010 12:00:39 +0200 Bjørn Mork <bjorn@mork.no> wrote: 
>> 
BM> Ted Zlatanov <tzz@lifelogs.com> writes:
>>>> I didn't notice it either, sorry.  I committed a new version generated
>>>> with Autoconf 2.65 (the old one used 2.61 so this should be an
>>>> improvement).  Please let me know if it works for you.
>> 
BM> You probably want to remove configure from .gitignore then.
>> 
>> Applied, thanks for the catch.

GT> Why is a generated file even checked in?  It seems normal practice is
GT> for cvs/svn/git to not have any of that, and to generate it for
GT> tarballs.  I usually see "bootstrap.sh" or "autogen.sh" that will run
GT> autoconf/aclocal/automake/etc.  Hardly anyone who can deal with git has
GT> trouble with autoconf :-)

We'll leave it in for now because in CVS it was checked in.  Reiner
Steib can decide if it stays in, since he releases tarballs.  It's not a
big deal either way.

Ted

Re: Gnus, git, www.gnus.org

[Sivaram Neelakantan]

Andreas Schwab <schwab@linux-m68k.org> writes:


[snipped 10 lines]

>> Why?
>
> I was talking about your CVS checkout, the other extra files were not
> under version control.

Oh!  Sorry for completely misunderstanding your post.

 sivaram
 -- 

Re: SSL certificate issues for git.gnus.org

[Ted Zlatanov]

On Fri, 23 Apr 2010 08:16:52 -0500 Ted Zlatanov <tzz@lifelogs.com> wrote: 

TZ> Lars: you can get the git.gnus.org certificate for free from
TZ> https://www.godaddy.com/gdshop/ssl/ssl_opensource.asp if you fill out
TZ> the form.  Get one for gnus.org as well while you're there.  You could
TZ> have me fill it in but then I need to be listed as the web admin of
TZ> gnus.org (plus see my previous request to let me manage that web site,
TZ> which would also be a good idea at this time).

TZ> For those who want to, http://curl.haxx.se/docs/sslcerts.html has
TZ> instructions for installing the current git.gnus.org self-signed
TZ> certificate.

It's been a while.  Can we get a valid SSL cert for git.gnus.org?  I'd
pay for it to save everyone the hassle of insecure SSL but am not the
owner of the domain.

It can even come from http://www.cacert.org/ -- it's not hard to add
their CA bundle.  Or StartSSL, which is free and works in all major
browsers and `curl' because their CA bundle is already well-accepted.

Ted

Re: SSL certificate issues for git.gnus.org

[Adam Sjøgren]

On Fri, 25 Feb 2011 15:58:20 -0600, Ted wrote:

> It's been a while.  Can we get a valid SSL cert for git.gnus.org?

How are self-signed certificates not valid? Or are you referring to the
certificate expiring on 10/05/2010?

> I'd pay for it to save everyone the hassle of insecure SSL but am not
> the owner of the domain.

How is SSL using a self-signed certificate insecure?

> It can even come from http://www.cacert.org/ -- it's not hard to add
> their CA bundle.  Or StartSSL, which is free and works in all major
> browsers and `curl' because their CA bundle is already well-accepted.

Do either of those support making certificates with subjectAltNames in
them?


  Just curious!

    Adam

-- 
 "I always liked songs with parentheses in the title."        Adam Sjøgren
                                                         asjo@koldfront.dk

Re: SSL certificate issues for git.gnus.org

[Ted Zlatanov]

On Fri, 25 Feb 2011 23:39:49 +0100 asjo@koldfront.dk (Adam Sjøgren) wrote: 

AS> On Fri, 25 Feb 2011 15:58:20 -0600, Ted wrote:
>> It's been a while.  Can we get a valid SSL cert for git.gnus.org?

AS> How are self-signed certificates not valid? Or are you referring to the
AS> certificate expiring on 10/05/2010?

I mean they are considered invalid when you do a `git checkout' with a
standard system.  I should have been more precise, sorry.  It looks like
this:

"% git clone https://git.gnus.org/gnus.git
Initialized empty Git repository in /tmp/gnus/.git/
error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://git.gnus.org/gnus.git/info/refs

fatal: HTTP request failed"

which looks bad.  This is on Ubuntu 10.10.

>> I'd pay for it to save everyone the hassle of insecure SSL but am not
>> the owner of the domain.

AS> How is SSL using a self-signed certificate insecure?

Users have to either import the certificate initially or disable
http.sslVerify.  Neither is as secure as a valid certificate chain with
a CA bundle that's already installed, although the former is better of
course.

>> It can even come from http://www.cacert.org/ -- it's not hard to add
>> their CA bundle.  Or StartSSL, which is free and works in all major
>> browsers and `curl' because their CA bundle is already well-accepted.

AS> Do either of those support making certificates with subjectAltNames in
AS> them?

I don't know, sorry.  StartSSL is extremely basic so probably no with them.

Ted

Re: SSL certificate issues for git.gnus.org

[Adam Sjøgren]

On Fri, 25 Feb 2011 16:54:01 -0600, Ted wrote:

AS> How is SSL using a self-signed certificate insecure?

> Users have to either import the certificate initially or disable
> http.sslVerify.  Neither is as secure as a valid certificate chain with
> a CA bundle that's already installed, although the former is better of
> course.

The only difference in security is whatever confirmation of identity the
organisation signing the certificate performs, right?

Just making sure I haven't misunderstood how this stuff works...


  Best regards,

    Adam

-- 
 "I always liked songs with parentheses in the title."        Adam Sjøgren
                                                         asjo@koldfront.dk

Re: SSL certificate issues for git.gnus.org

[Julien Danjou]

[-- Attachment #1: Type: text/plain, Size: 370 bytes --]

On Fri, Feb 25 2011, Adam Sjøgren wrote:

> The only difference in security is whatever confirmation of identity the
> organisation signing the certificate performs, right?

Right.

Personally, I'm fine with self-signed. I hate this certificate business
which brings nothing if just money to bad companies.

-- 
Julien Danjou
❱ http://julien.danjou.info

[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]

Re: SSL certificate issues for git.gnus.org

[Steinar Bang]

>>>>> Ted Zlatanov <tzz@lifelogs.com>:

> It can even come from http://www.cacert.org/ -- it's not hard to add
> their CA bundle.

Debian comes with this one installed, I think...?

Re: SSL certificate issues for git.gnus.org

[Adam Sjøgren]

On Sat, 26 Feb 2011 08:51:30 +0100, Julien wrote:

> Personally, I'm fine with self-signed. I hate this certificate business
> which brings nothing if just money to bad companies.

... and some good *coughUbuntucough*


  :-),

   Adam

-- 
 "I always liked songs with parentheses in the title."        Adam Sjøgren
                                                         asjo@koldfront.dk

Re: SSL certificate issues for git.gnus.org

[Steinar Bang]

>>>>> asjo@koldfront.dk (Adam Sjøgren):

> On Sat, 26 Feb 2011 08:51:30 +0100, Julien wrote:
>> Personally, I'm fine with self-signed. I hate this certificate business
>> which brings nothing if just money to bad companies.

> ... and some good *coughUbuntucough*

I'm not sure, but I think they also support http://cacert.org as a CA,
like debian does...?

Re: SSL certificate issues for git.gnus.org

[Ted Zlatanov]

On Fri, 25 Feb 2011 23:59:43 +0100 asjo@koldfront.dk (Adam Sjøgren) wrote: 

AS> On Fri, 25 Feb 2011 16:54:01 -0600, Ted wrote:
AS> How is SSL using a self-signed certificate insecure?

>> Users have to either import the certificate initially or disable
>> http.sslVerify.  Neither is as secure as a valid certificate chain with
>> a CA bundle that's already installed, although the former is better of
>> course.

AS> The only difference in security is whatever confirmation of identity the
AS> organisation signing the certificate performs, right?

You're talking about abstract security, as a signing process.  I'm
saying the *user* has to either import the self-signed certificate off
the website and hope it's not compromised or he has to disable
http.sslVerify.

Furthermore, a self-signed certificate looks unprofessional.  It's
better to set up a CA or to use a well-known one.  savannah.gnu.org
thinks so too and uses CAcert:

http://savannah.gnu.org/tls/

This actually connects to some questions I had about Emacs' built-in
certificates when I worked on GnuTLS support.  But neither the GNU
project nor the FSF seem to have a policy in this regard so we default
to whatever certificates the OS trusts.

On Sat, 26 Feb 2011 08:51:30 +0100 Julien Danjou <julien@danjou.info> wrote: 

JD> I hate this certificate business which brings nothing if just money
JD> to bad companies.

I respectfully disagree.  The current prices on the major sellers are
certainly ridiculous but there are many reasonable and even free ones.

On Sat, 26 Feb 2011 15:59:53 +0100 Steinar Bang <sb@dod.no> wrote: 

>>>>>> asjo@koldfront.dk (Adam Sjøgren):
>> ... and some good *coughUbuntucough*

SB> I'm not sure, but I think they also support http://cacert.org as a CA,
SB> like debian does...?

Debian does, but Ubuntu doesn't, unfortunately.  See
http://wiki.cacert.org/InclusionStatus

Ted

Re: SSL certificate issues for git.gnus.org

[Steinar Bang]

>>>>> Ted Zlatanov <tzz@lifelogs.com>:

> Debian does, but Ubuntu doesn't, unfortunately.  See
> http://wiki.cacert.org/InclusionStatus

A pity.  The stuff in the "discussion" link, sounds like another
"Shuttleworth-decision" I would disagree with (others being Unity on
netbooks, and ditching X).

Nothing I can do about that, other than migrate back to debian.  Which
I've done, except for on the family's netbooks (none of which run Unity,
btw). 

Re: SSL certificate issues for git.gnus.org

[Ted Zlatanov]

On Mon, 28 Feb 2011 22:01:31 +0100 Steinar Bang <sb@dod.no> wrote: 

>>>>>> Ted Zlatanov <tzz@lifelogs.com>:
>> Debian does, but Ubuntu doesn't, unfortunately.  See
>> http://wiki.cacert.org/InclusionStatus

SB> A pity.  The stuff in the "discussion" link, sounds like another
SB> "Shuttleworth-decision" I would disagree with (others being Unity on
SB> netbooks, and ditching X).

Strange.  I see the file as /etc/ssl/certs/cacert.org.pem on a new
Ubuntu 10.10 install.  So I don't know what's accurate but I guess,
considering Savannah also uses it, that a cacert.org SSL certificate is
the easiest way to do what I'm asking.

But I can't request it.

Ted

Re: SSL certificate issues for git.gnus.org

[Steinar Bang]

>>>>> Ted Zlatanov <tzz@lifelogs.com>:

> But I can't request it.

Just supplementing Ted's statement: 
 To be able to request a cacert.org signed certificate for git.gnus.org,
 you need to be able to receive and respond to, email sent to
 hostmaster@git.gnus.org.

Re: SSL certificate issues for git.gnus.org

[Lars Magne Ingebrigtsen]

Steinar Bang <sb@dod.no> writes:

> Just supplementing Ted's statement: 
>  To be able to request a cacert.org signed certificate for git.gnus.org,
>  you need to be able to receive and respond to, email sent to
>  hostmaster@git.gnus.org.

Ok; I've now set up MX for git.gnus.org, and directed hostmaster to
myself, so request away...

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: SSL certificate issues for git.gnus.org

[Steinar Bang]

>>>>> Lars Magne Ingebrigtsen <larsi@gnus.org>:

> Ok; I've now set up MX for git.gnus.org, and directed hostmaster to
> myself, so request away...

It has to be done by you
 https://www.cacert.org/index.php?id=1

It would also probably be best to sign up for the domain gnus.org
(meaning that you must control the email address hostmaster at gnus.org),
and then from that loging create certificates for subdomains, like
eg. git.gnus.org.

Hm... and the way to generate certificates seems to have changed since
when I did it.  This requires a bit more research...

Re: SSL certificate issues for git.gnus.org

[Ted Zlatanov]

On Sat, 05 Mar 2011 13:04:01 +0100 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

LMI> Steinar Bang <sb@dod.no> writes:
>> Just supplementing Ted's statement: 
>> To be able to request a cacert.org signed certificate for git.gnus.org,
>> you need to be able to receive and respond to, email sent to
>> hostmaster@git.gnus.org.

LMI> Ok; I've now set up MX for git.gnus.org, and directed hostmaster to
LMI> myself, so request away...

On Sat, 05 Mar 2011 21:00:06 +0100 Steinar Bang <sb@dod.no> wrote: 

SB> It has to be done by you
SB>  https://www.cacert.org/index.php?id=1

SB> It would also probably be best to sign up for the domain gnus.org
SB> (meaning that you must control the email address hostmaster at gnus.org),
SB> and then from that loging create certificates for subdomains, like
SB> eg. git.gnus.org.

Sorry, I can't enter the data for you.  You need the date of birth and a
passphrase to become a CACert member.  I wish it could be easier.

Ted

Re: SSL certificate issues for git.gnus.org

[Simon Josefsson]

Ted Zlatanov <tzz@lifelogs.com> writes:

> On Sat, 05 Mar 2011 13:04:01 +0100 Lars Magne Ingebrigtsen
> <larsi@gnus.org> wrote:
>
> LMI> Steinar Bang <sb@dod.no> writes:
>>> Just supplementing Ted's statement: 
>>> To be able to request a cacert.org signed certificate for git.gnus.org,
>>> you need to be able to receive and respond to, email sent to
>>> hostmaster@git.gnus.org.
>
> LMI> Ok; I've now set up MX for git.gnus.org, and directed hostmaster to
> LMI> myself, so request away...
>
> On Sat, 05 Mar 2011 21:00:06 +0100 Steinar Bang <sb@dod.no> wrote: 
>
> SB> It has to be done by you
> SB>  https://www.cacert.org/index.php?id=1
>
> SB> It would also probably be best to sign up for the domain gnus.org
> SB> (meaning that you must control the email address hostmaster at gnus.org),
> SB> and then from that loging create certificates for subdomains, like
> SB> eg. git.gnus.org.
>
> Sorry, I can't enter the data for you.  You need the date of birth and a
> passphrase to become a CACert member.  I wish it could be easier.

I think anyone who is already a CACert member could help with this, by
claiming ownership of the domain and then requesting certificates.  I
happen to be a member, so if I can help, let me know.  Generating the
private key and certificate request is relatively easy too.

/Simon

Re: SSL certificate issues for git.gnus.org

[Steinar Bang]

>>>>> Simon Josefsson <simon@josefsson.org>:

> I think anyone who is already a CACert member could help with this, by
> claiming ownership of the domain and then requesting certificates.  I
> happen to be a member, so if I can help, let me know.  Generating the
> private key and certificate request is relatively easy too.

I am also a member but I though I only could request certificate signing
for sub-domains of the one I'm the member as...?

This certificate stuff makes my head ache...

Re: SSL certificate issues for git.gnus.org

[Ted Zlatanov]

On Thu, 10 Mar 2011 10:44:53 +0100 Simon Josefsson <simon@josefsson.org> wrote: 

SJ> I think anyone who is already a CACert member could help with this, by
SJ> claiming ownership of the domain and then requesting certificates.  I
SJ> happen to be a member, so if I can help, let me know.  Generating the
SJ> private key and certificate request is relatively easy too.

I can do it, too, but it would be a false claim.  Lars owns the domain.

Ted

Re: SSL certificate issues for git.gnus.org

[James Cloos]

There are a few other alternatives, since this is an floss project.

Googling quickly finds:

https://cert.startcom.org/
https://www.godaddy.com/ssl/ssl-open-source.aspx

I've heard that Thawte offers them as well, but can't find a url.

-JimC
-- 
James Cloos <cloos@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

Re: SSL certificate issues for git.gnus.org

[Simon Josefsson]

Steinar Bang <sb@dod.no> writes:

>>>>>> Simon Josefsson <simon@josefsson.org>:
>
>> I think anyone who is already a CACert member could help with this, by
>> claiming ownership of the domain and then requesting certificates.  I
>> happen to be a member, so if I can help, let me know.  Generating the
>> private key and certificate request is relatively easy too.
>
> I am also a member but I though I only could request certificate signing
> for sub-domains of the one I'm the member as...?

You can become "owner" of any domain by entering the domain under
cacert.org Domains->Add when you are logged in.  The domain owner will
get an e-mail to confirm the operation, but if he accepts then you can
get server certificates for that domain through CACert.

Of course, it is better if Lars gets an account, but to be trusted he
needs to sign papers and find someone else who is a CACert member (at
least that is how it used to work).  But I believe it is still possible
for anyone else to help out if Lars prefers to write elisp instead. :-)

/Simon

Re: SSL certificate issues for git.gnus.org

[Ted Zlatanov]

On Thu, 10 Mar 2011 22:50:11 +0100 Simon Josefsson <simon@josefsson.org> wrote: 

SJ> Steinar Bang <sb@dod.no> writes:
>>>>>>> Simon Josefsson <simon@josefsson.org>:
>> 
>>> I think anyone who is already a CACert member could help with this, by
>>> claiming ownership of the domain and then requesting certificates.  I
>>> happen to be a member, so if I can help, let me know.  Generating the
>>> private key and certificate request is relatively easy too.
>> 
>> I am also a member but I though I only could request certificate signing
>> for sub-domains of the one I'm the member as...?

SJ> You can become "owner" of any domain by entering the domain under
SJ> cacert.org Domains->Add when you are logged in.  The domain owner will
SJ> get an e-mail to confirm the operation, but if he accepts then you can
SJ> get server certificates for that domain through CACert.

Oh, I see.  I didn't know that.

Could you do the request?  You're probably the best person to do it.

Thanks
Ted

Re: SSL certificate issues for git.gnus.org

[Simon Josefsson]

Ted Zlatanov <tzz@lifelogs.com> writes:

> On Thu, 10 Mar 2011 22:50:11 +0100 Simon Josefsson <simon@josefsson.org> wrote: 
>
> SJ> Steinar Bang <sb@dod.no> writes:
>>>>>>>> Simon Josefsson <simon@josefsson.org>:
>>> 
>>>> I think anyone who is already a CACert member could help with this, by
>>>> claiming ownership of the domain and then requesting certificates.  I
>>>> happen to be a member, so if I can help, let me know.  Generating the
>>>> private key and certificate request is relatively easy too.
>>> 
>>> I am also a member but I though I only could request certificate signing
>>> for sub-domains of the one I'm the member as...?
>
> SJ> You can become "owner" of any domain by entering the domain under
> SJ> cacert.org Domains->Add when you are logged in.  The domain owner will
> SJ> get an e-mail to confirm the operation, but if he accepts then you can
> SJ> get server certificates for that domain through CACert.
>
> Oh, I see.  I didn't know that.
>
> Could you do the request?  You're probably the best person to do it.

I have made the request -- but Lars will need to approve it.

Lars, to generate the git.gnus.org certificate, please run something
like this and send me the CSR at the bottom (it is fine to post to the
list, it is not security sensitive) and I'll paste the request through
cacert and get a certificate back:

jas@latte:~$ certtool -p --outfile git.gnus.org-key.pem
Generating a 2048 bit RSA private key...
jas@latte:~$ certtool -q --load-privkey git.gnus.org-key.pem
Generating a PKCS #10 certificate request...
Country name (2 chars): 
Organization name: 
Organizational unit name: 
Locality name: 
State or province name: 
Common name: git.gnus.org
UID: 
Enter a dnsName of the subject of the certificate: git.gnus.org
Enter a dnsName of the subject of the certificate: 
Enter the IP address of the subject of the certificate: 
Enter the e-mail of the subject of the certificate: 
Enter a challenge password: 
Does the certificate belong to an authority? (y/N): 
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
Is this a TLS web client certificate? (y/N): 
Is this also a TLS web server certificate? (y/N): y
PKCS #10 Certificate Request Information:
	Version: 1
	Subject: CN=git.gnus.org
	Subject Public Key Algorithm: RSA
		Modulus (bits 2048):
			c6:53:c1:43:9a:8e:5d:f5:89:10:27:00:7d:42:ff:6c
			a3:4f:bb:0c:58:c4:6c:9a:73:be:1d:6a:b5:e7:09:1c
			1f:de:53:20:de:30:2a:52:a5:96:3a:57:ce:32:02:e8
			e8:1d:2c:91:fa:c4:ed:95:84:95:b3:f9:91:3a:df:02
			d3:76:75:c6:09:2f:4e:16:f8:cb:ea:83:fb:58:e5:91
			52:ea:ef:74:7d:a5:9e:61:38:44:0f:de:92:b7:4a:f4
			ff:c5:93:6a:21:d2:cf:83:9c:cb:af:17:74:88:5f:87
			9a:63:8a:b9:f0:2b:1d:94:c8:f7:e1:ea:53:33:5e:d5
			c3:8f:83:c0:98:f1:9d:69:b6:8d:be:e9:27:ce:82:f6
			52:90:ea:d9:21:46:fc:04:95:27:0c:f8:6d:aa:51:fe
			11:3f:c3:f1:0a:ac:de:d5:bc:88:7f:73:bb:25:61:d2
			44:07:21:96:b9:4d:4f:c3:1a:35:be:41:2e:d5:5e:f6
			0e:a2:6f:56:40:a1:f5:e0:f5:85:1d:8b:24:db:c3:fe
			92:94:ce:23:cf:06:cc:1b:a2:f3:d6:bf:85:10:03:d8
			0d:ac:3d:d2:10:ba:bd:ea:4d:e8:42:5a:a7:49:e8:c3
			8d:86:dd:a0:09:77:62:43:ce:95:82:3c:8f:f4:c6:f3
		Exponent:
			01:00:01
	Attributes:
		Extensions:
			Subject Alternative Name (not critical):
				DNSname: git.gnus.org
			Basic Constraints (critical):
				Certificate Authority (CA): FALSE
			Key Usage (critical):
				Digital signature.
				Key encipherment.
			Key Purpose (critical):
				TLS WWW Server.
Other Information:
	Public Key Id:
		4dff66171012fd06f4ebe4206d4041cd4d020183

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICvTCCAaUCAQAwFzEVMBMGA1UEAxMMZ2l0LmdudXMub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxlPBQ5qOXfWJECcAfUL/bKNPuwxYxGyac74d
arXnCRwf3lMg3jAqUqWWOlfOMgLo6B0skfrE7ZWElbP5kTrfAtN2dcYJL04W+Mvq
g/tY5ZFS6u90faWeYThED96St0r0/8WTaiHSz4Ocy68XdIhfh5pjirnwKx2UyPfh
6lMzXtXDj4PAmPGdabaNvuknzoL2UpDq2SFG/ASVJwz4bapR/hE/w/EKrN7VvIh/
c7slYdJEByGWuU1Pwxo1vkEu1V72DqJvVkCh9eD1hR2LJNvD/pKUziPPBswbovPW
v4UQA9gNrD3SELq96k3oQlqnSejDjYbdoAl3YkPOlYI8j/TG8wIDAQABoGEwXwYJ
KoZIhvcNAQkOMVIwUDAXBgNVHREEEDAOggxnaXQuZ251cy5vcmcwDAYDVR0TAQH/
BAIwADAPBgNVHQ8BAf8EBQMDB6AAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMA0G
CSqGSIb3DQEBCwUAA4IBAQBLijy0bHwYLkb7ZwOlHfX9yjRvOrTPfe7/g8N1uD8y
hPChDpCbmQtdsbDQW1r9Bz8AiixtkfrAvz0UYuc6jTsqkD+P6hGb8g+oayJt4O2B
FA5sgcp6ydmjRicdt3uucbtB0uPr0gpMdqTQjwo6RL4YzhyG1HiVPGPbLNVu7T+7
0otyN2QPC6eHtgLqPel8LnJyJ0qqCdBVM0dGLWWrxHJYSQB+pCdhPJH/8YK8T7+D
Zo4/leWGihU+Ga90hYnPDFALhCU30XGCZItHjW4p5miS/vW/KGGqdWH55zpIM6ZE
cEIZVmUx1doYrKI7GOZm/X5dtrZgxCxhtIIebkHfRgTp
-----END NEW CERTIFICATE REQUEST-----
jas@latte:~$ 

/Simon

Re: SSL certificate issues for git.gnus.org

[Lars Magne Ingebrigtsen]

Simon Josefsson <simon@josefsson.org> writes:

> I have made the request -- but Lars will need to approve it.

(Sorry for the tardy response -- I've been building Ikea shelves for a
week now.)

I got the cacert email, and clicked through, and it said

"Your domain has been verified. You can now start issuing certificates
for this domain."

> Lars, to generate the git.gnus.org certificate, please run something
> like this and send me the CSR at the bottom (it is fine to post to the
> list, it is not security sensitive) and I'll paste the request through
> cacert and get a certificate back:

PKCS #10 Certificate Request Information:
        Version: 1
        Subject: C=NO,O=Gnus Network User Services,CN=git.gnus.org
        Subject Public Key Algorithm: RSA
                Modulus (bits 2048):
                        b7:b7:e4:69:94:84:5b:c6:f7:6d:e8:5b:6b:1b:2d:48
                        24:54:eb:1f:3e:60:e4:99:f1:f3:4c:a3:6b:fe:0c:93
                        25:5c:a8:e3:3c:04:ed:5b:6c:2c:ac:4f:2a:1b:9a:77
                        b1:b7:91:75:53:d7:09:d2:82:e7:0b:06:b6:d1:29:bb
                        f4:fc:b3:52:fb:29:d6:2b:1c:c3:60:83:82:69:5b:4a
                        93:9a:b2:1b:96:80:4e:3c:37:b8:b6:36:63:18:1e:0c
                        ca:cc:6c:a7:f2:ca:8e:26:f6:da:ce:cc:6b:2b:71:3b
                        b3:57:55:72:3a:83:72:d8:a2:d2:13:a6:74:66:7b:24
                        ac:40:d3:66:e5:54:b6:df:bd:72:b5:c6:f6:4b:e5:7e
                        fb:b5:c5:bd:59:7f:87:dd:5a:f8:16:e1:3a:2b:ed:ef
                        24:f9:54:c8:d7:9f:6b:9a:c9:d0:54:6a:70:b6:d5:93
                        8a:1c:f9:9a:df:14:3a:d2:05:f8:57:b2:21:2f:a6:04
                        1d:c2:f8:94:e7:bd:fd:f7:60:3e:8e:59:c6:fd:c4:85
                        14:c4:c3:e1:c7:4a:38:cd:ce:8d:98:c0:31:11:d7:b7
                        64:ae:42:dd:f0:27:db:db:d9:47:b1:ff:31:91:36:83
                        73:f1:f0:72:8c:fa:c1:b5:68:cc:3b:d7:33:e9:7d:bd
                Exponent:
                        01:00:01
        Attributes:
                Extensions:
                        Subject Alternative Name (not critical):
                                DNSname: git.gnus.org
                        Basic Constraints (critical):
                                Certificate Authority (CA): FALSE
                        Key Usage (critical):
                                Digital signature.
                                Key encipherment.
                        Key Purpose (not critical):
                                TLS WWW Server.
Other Information:
        Public Key Id:
                94ac9e58095aa6595b65205b7a5f9761e36723b1

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC6DCCAdICAQAwSTELMAkGA1UEBhMCTk8xIzAhBgNVBAoTGkdudXMgTmV0d29y
ayBVc2VyIFNlcnZpY2VzMRUwEwYDVQQDEwxnaXQuZ251cy5vcmcwggEgMAsGCSqG
SIb3DQEBAQOCAQ8AMIIBCgKCAQEAt7fkaZSEW8b3behbaxstSCRU6x8+YOSZ8fNM
o2v+DJMlXKjjPATtW2wsrE8qG5p3sbeRdVPXCdKC5wsGttEpu/T8s1L7KdYrHMNg
g4JpW0qTmrIbloBOPDe4tjZjGB4Mysxsp/LKjib22s7MaytxO7NXVXI6g3LYotIT
pnRmeySsQNNm5VS2371ytcb2S+V++7XFvVl/h91a+BbhOivt7yT5VMjXn2uaydBU                anC21ZOKHPma3xQ60gX4V7IhL6YEHcL4lOe9/fdgPo5Zxv3EhRTEw+HHSjjNzo2Y
wDER17dkrkLd8Cfb29lHsf8xkTaDc/Hwcoz6wbVozDvXM+l9vQIDAQABoF4wXAYJ
KoZIhvcNAQkOMU8wTTAXBgNVHREEEDAOggxnaXQuZ251cy5vcmcwDAYDVR0TAQH/
BAIwADAPBgNVHQ8BAf8EBQMDB6AAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGCSqG
SIb3DQEBBQOCAQEAHasaM97SpTxNwo46FYGBaKk6PH/FYMPvnXCJWQDcBaqKm7S4
8CzNOEUk0Ag8KCc0Zni7Lt7dOyXvaLqExEn6c47ZvGfGjh/zYZa43ixwc36Z+57H
dV2I95uobDmAcPgBUgiTp6IOxMZiAouMOOPKiNnURBM5bQ94FyompEtGjx7XGzLM
/JoRPuKJ9JvqzMhe9e69iacDuq3ll9yCJQJSt40MO5L8OLK0HP7E1BDNLdt56X+T
5i+P7hYvT6MJ12FIRoKggQZJHhEY/8ERnlr47DQ/HQczEWqiDaeC/6QtozOM/r3o
15+FsV4iYc7Rsvj+mIl9wRroYJPfqgLKpoOxAw==
-----END NEW CERTIFICATE REQUEST-----
        

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: SSL certificate issues for git.gnus.org

[Simon Josefsson]

Lars Magne Ingebrigtsen <larsi@gnus.org> writes:

> Simon Josefsson <simon@josefsson.org> writes:
>
>> I have made the request -- but Lars will need to approve it.
>
> (Sorry for the tardy response -- I've been building Ikea shelves for a
> week now.)
>
> I got the cacert email, and clicked through, and it said
>
> "Your domain has been verified. You can now start issuing certificates
> for this domain."

Thanks -- it seems approved alright.

>> Lars, to generate the git.gnus.org certificate, please run something
>> like this and send me the CSR at the bottom (it is fine to post to the
>> list, it is not security sensitive) and I'll paste the request through
>> cacert and get a certificate back:
>
> PKCS #10 Certificate Request Information:

Thanks, here is the certificate:

-----BEGIN CERTIFICATE-----
MIIE0TCCArmgAwIBAgIDAMjmMA0GCSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTEwMzE0MDg1MTEyWhcNMTMwMzEz
MDg1MTEyWjAXMRUwEwYDVQQDEwxnaXQuZ251cy5vcmcwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC3t+RplIRbxvdt6FtrGy1IJFTrHz5g5Jnx80yja/4M
kyVcqOM8BO1bbCysTyobmnext5F1U9cJ0oLnCwa20Sm79PyzUvsp1iscw2CDgmlb
SpOashuWgE48N7i2NmMYHgzKzGyn8sqOJvbazsxrK3E7s1dVcjqDctii0hOmdGZ7
JKxA02blVLbfvXK1xvZL5X77tcW9WX+H3Vr4FuE6K+3vJPlUyNefa5rJ0FRqcLbV
k4oc+ZrfFDrSBfhXsiEvpgQdwviU573992A+jlnG/cSFFMTD4cdKOM3OjZjAMRHX
t2SuQt3wJ9vb2Uex/zGRNoNz8fByjPrBtWjMO9cz6X29AgMBAAGjgegwgeUwDAYD
VR0TAQH/BAIwADA0BgNVHSUELTArBggrBgEFBQcDAgYIKwYBBQUHAwEGCWCGSAGG
+EIEAQYKKwYBBAGCNwoDAzALBgNVHQ8EBAMCBaAwMwYIKwYBBQUHAQEEJzAlMCMG
CCsGAQUFBzABhhdodHRwOi8vb2NzcC5jYWNlcnQub3JnLzBdBgNVHREEVjBUggxn
aXQuZ251cy5vcmegGgYIKwYBBQUHCAWgDgwMZ2l0LmdudXMub3JnggxnaXQuZ251
cy5vcmegGgYIKwYBBQUHCAWgDgwMZ2l0LmdudXMub3JnMA0GCSqGSIb3DQEBBQUA
A4ICAQBEQ0M46NbqXlYYjSi+RH/wQ/Z4gbtLKG5uHZSV3V7RUUl6IgerXPDiGkF0
CwPXzD2K7A/qRWtsR9ymxDqyMYpBZMpP7dzIN5AJzAuIaUUCBoU3CIwLHOlirAyx
1Ks+qLfQFQ7CI3gnpebzkdC/QGMd4R+AaCMzvW10Gvg2V6xyfhreQ43g6zj5jLpQ
mcylstzvGrnN6I+YjL6FVOAD6zYNX+rxy/Q0YdXM8u0Tz1lMe1SDx6XGwojdH1uf
9eUTIB0J0+woKm+VIrrKcSWxKCnzUpSfw7985No+uuxzRhqD58rXOQrjkddQcXlk
Wxf5QXqXuLYl5rGrQFSDBONDKuOIN30908JUidzsuWHBzUWQ+9rom2hvRq+NeYWf
vjdtADDt8+cAsmw6FMDaqpf867J5TOeV5KA2BbTXb/V5rfe0kNAwPSKbHs7aUPsS
3SPdeCEGemV+J0WcB3MfhvvkaFwVclTr41FToX4ECFVuIJTfN8ZKdT74/XsrVGM9
a+jmmELarhpfLR4c2HexaACkn+GyNMuFOo9tDyg/W/uWrJjbrK2RKZynulP6C9O4
23Zv08PB1Sy7hikZSMhBNJiEr36G+peqc/0qFweVUcIg/2saZMhDzJf8P8xnPgzL
+Kwzb5FCUZpauiEH9YRyta5MlcRHTER7G2yWLH0LBVNwBz0KcA==
-----END CERTIFICATE-----

It is not strictly needed, but you may want to make the web server send
the following as an intermediate certificate too:

http://www.cacert.org/certs/class3.txt

Then clients only have to trust the root CACert CA without also knowing
the intermediate CACert certificate.  I suspect most clients already
trust the intermediate CACert CA anyway though.

If you are using apache with mod_gnutls (Debian libapache2-mod-gnutls)
just concatenate the git.gnus.org PEM blob above with the PEM blob in
the URL above into a text file and then point to the files like this:

        GnuTLSEnable on
        GnuTLSCertificateFile /etc/ssl/private/git.gnus.org-chain.pem
        GnuTLSKeyFile /etc/ssl/private/git.gnus.org-key.pem
        GnuTLSPriorities NORMAL

/Simon

Re: SSL certificate issues for git.gnus.org

[Matthias Andree]

Am 14.03.2011 09:59, schrieb Simon Josefsson:

> It is not strictly needed, but you may want to make the web server send
> the following as an intermediate certificate too:
>
> http://www.cacert.org/certs/class3.txt

Lars, please do, in order to establish proper practice - servers are 
supposed to send all intermediate CA certificates, too, in the right order.

 > Then clients only have to trust the root CACert CA without also knowing
> the intermediate CACert certificate.  I suspect most clients already
> trust the intermediate CACert CA anyway though.

For CAcert it's fine because the intermediate CA is usually trusted, but 
generally it is a bad thing, as it breaks end user setups. I've been 
through this 3-layered intermediate stuff with DFN setups more than a 
dozen times.

> If you are using apache with mod_gnutls (Debian libapache2-mod-gnutls)
> just concatenate the git.gnus.org PEM blob above with the PEM blob in
> the URL above into a text file and then point to the files like this:
>
>          GnuTLSEnable on
>          GnuTLSCertificateFile /etc/ssl/private/git.gnus.org-chain.pem
>          GnuTLSKeyFile /etc/ssl/private/git.gnus.org-key.pem
>          GnuTLSPriorities NORMAL

Similar considerations apply for mod_ssl if you happen to use that.
I can dig up details if desired.

Best regards

-- 
Matthias Andree

Re: SSL certificate issues for git.gnus.org

[Lars Magne Ingebrigtsen]

Simon Josefsson <simon@josefsson.org> writes:

> Thanks, here is the certificate:

Thanks!

Ted, I've now copied over the key and the certificate to ~larsi/cert on
Quimby.  Can you install it wherever git wants it to be installed?

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: SSL certificate issues for git.gnus.org

[Ted Zlatanov]

On Tue, 15 Mar 2011 16:45:18 +0100 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

LMI> Simon Josefsson <simon@josefsson.org> writes:
>> Thanks, here is the certificate:

LMI> Ted, I've now copied over the key and the certificate to ~larsi/cert on
LMI> Quimby.  Can you install it wherever git wants it to be installed?

I'll do it together with the HTML deployment, soon-ish.

Ted

Re: SSL certificate issues for git.gnus.org

[Ted Zlatanov]

I'm no expert on SSL certificates but I think I did this correctly and
curl is happy (thus Git too) with https://git.gnus.org

The "CAcert Class 3 Root" is the issuer of the git.gnus.org certificate
and the "CA Cert Signing Authority" is next in the chain, as shown by
Chrome.  So I think they are all offered by the server correctly.  I
didn't have time to update the docs this morning, but please let me know
if there's a problem with the setup.

Ted

Re: SSL certificate issues for git.gnus.org

[Greg Troxel]

[-- Attachment #1: Type: text/plain, Size: 794 bytes --]


  I'm no expert on SSL certificates but I think I did this correctly and
  curl is happy (thus Git too) with https://git.gnus.org

  The "CAcert Class 3 Root" is the issuer of the git.gnus.org certificate
  and the "CA Cert Signing Authority" is next in the chain, as shown by
  Chrome.  So I think they are all offered by the server correctly.  I
  didn't have time to update the docs this morning, but please let me know
  if there's a problem with the setup.

I changed .git/config to edit remote to https for git.gnus.org, and then
got a cert failure.  I then installed the cacert root ca in
/etc/openssl/certs (NetBSD), and git remote update now prompts for a
password.

So

  I think the cert is fine

  anonymous fetching over https doesn't work (and maybe it's not
  intended to work)

[-- Attachment #2: Type: application/pgp-signature, Size: 194 bytes --]

Re: SSL certificate issues for git.gnus.org

[Ted Zlatanov]

On Wed, 16 Mar 2011 07:31:35 -0400 Greg Troxel <gdt@work.lexort.com> wrote: 

GT> I changed .git/config to edit remote to https for git.gnus.org, and then
GT> got a cert failure.  I then installed the cacert root ca in
GT> /etc/openssl/certs (NetBSD), and git remote update now prompts for a
GT> password.

GT> So

GT>   I think the cert is fine

Cool.  I updated the docs to reflect that GIT_SSL_NO_VERIFY and 
"git config http.sslVerify false" are no longer necessary, and will push
them into place soon-ish.

GT>   anonymous fetching over https doesn't work (and maybe it's not
GT>   intended to work)

Correct, it's for committer access, as http://git.gnus.org/ says.  I
didn't think it was necessary to protect public access with SSL and most
projects don't.

Ted

Re: SSL certificate issues for git.gnus.org

[Ted Zlatanov]

On Tue, 15 Mar 2011 11:03:48 -0500 Ted Zlatanov <tzz@lifelogs.com> wrote: 

TZ> On Tue, 15 Mar 2011 16:45:18 +0100 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 
LMI> Simon Josefsson <simon@josefsson.org> writes:
>>> Thanks, here is the certificate:

LMI> Ted, I've now copied over the key and the certificate to ~larsi/cert on
LMI> Quimby.  Can you install it wherever git wants it to be installed?

TZ> I'll do it together with the HTML deployment, soon-ish.

The http://git.gnus.org page has been updated.

Ted

Re: SSL certificate issues for git.gnus.org

[Adam Sjøgren]

On Mon, 28 Feb 2011 13:33:44 -0600, Ted wrote:

> On Fri, 25 Feb 2011 23:59:43 +0100 asjo@koldfront.dk (Adam Sjøgren) wrote: 

AS> The only difference in security is whatever confirmation of identity the
AS> organisation signing the certificate performs, right?

> You're talking about abstract security, as a signing process.  I'm
> saying the *user* has to either import the self-signed certificate off
> the website and hope it's not compromised or he has to disable
> http.sslVerify.

No, I am talking about the difference between knowing that the traffic
isn't snoopable between client and server (more secure than plain text)
vs. that+someone having said "the server is who the server claims to
be" (arguably slightly-to-a-lot more secure, depending on who you trust).

I think it was a fundamental error to conflate those two things. But
hey, it made some people very, very rich - and we got Ubuntu.

> Furthermore, a self-signed certificate looks unprofessional.

"I wear my unprofessionalism as a badge of honor. Professionalism has no
  place in art"

> On Sat, 26 Feb 2011 08:51:30 +0100 Julien Danjou <julien@danjou.info> wrote: 

JD> I hate this certificate business which brings nothing if just money
JD> to bad companies.

> I respectfully disagree.  The current prices on the major sellers are
> certainly ridiculous but there are many reasonable and even free ones.

Alas, the ones that are free either aren't in the Major Browsers by
default, or they (arbitrarily) don't allow you to create certificates
for multiple domains (subjectAltNames).


  Best regards,

    Adam

-- 
 "But they are all following you!                             Adam Sjøgren
  No, they ain't, I'm just in front"                     asjo@koldfront.dk

Re: SSL certificate issues for git.gnus.org

[Ted Zlatanov]

On Mon, 21 Mar 2011 20:54:35 +0100 asjo@koldfront.dk (Adam Sjøgren) wrote: 

AS> On Mon, 28 Feb 2011 13:33:44 -0600, Ted wrote:
>> On Sat, 26 Feb 2011 08:51:30 +0100 Julien Danjou <julien@danjou.info> wrote: 

JD> I hate this certificate business which brings nothing if just money
JD> to bad companies.

>> I respectfully disagree.  The current prices on the major sellers are
>> certainly ridiculous but there are many reasonable and even free ones.

AS> Alas, the ones that are free either aren't in the Major Browsers by
AS> default, or they (arbitrarily) don't allow you to create certificates
AS> for multiple domains (subjectAltNames).

I think that's their prerogative.  I just brought up an Emacs-wide (or
GNU-wide) CA on emacs-devel, which would help at least in the scope of
Emacs.

Ted

Re: SSL certificate issues for git.gnus.org

[Adam Sjøgren]

On Mon, 21 Mar 2011 17:41:54 -0500, Ted wrote:

AS> Alas, the ones that are free either aren't in the Major Browsers by
AS> default, or they (arbitrarily) don't allow you to create certificates
AS> for multiple domains (subjectAltNames).

> I think that's their prerogative. [...]

And I think that system is broken; let's just leave it at that?


  Best regards,

    Adam

-- 
 "This is either madness... or brilliance."                   Adam Sjøgren
 "It's remarkable how often those two traits coincide."  asjo@koldfront.dk