From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/14008 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: vlse Newsgroups: gmane.linux.lib.musl.general Subject: Re: Supporting git access via smart HTTPS protocol for musl-libc Date: Tue, 26 Mar 2019 15:32:46 +0530 Message-ID: <20190326100245.GA1900@localhost> References: <20190324103306.GB1830@localhost> <20190326003411.GC1872@localhost> <20190326010933.GC3713@localhost> <397c5906-090a-460e-7ea8-8f9248e0be59@adelielinux.org> <20190326013706.GV23599@brightrain.aerifal.cx> <20190326015434.GB8855@localhost> <20190326025937.GW23599@brightrain.aerifal.cx> Reply-To: musl@lists.openwall.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="100313"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Mutt/1.4.2.3i Cc: dalias@libc.org To: musl@lists.openwall.com Original-X-From: musl-return-14024-gllmg-musl=m.gmane.org@lists.openwall.com Tue Mar 26 11:02:31 2019 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by blaine.gmane.org with smtp (Exim 4.89) (envelope-from ) id 1h8iud-000Pwg-5l for gllmg-musl@m.gmane.org; Tue, 26 Mar 2019 11:02:31 +0100 Original-Received: (qmail 11741 invoked by uid 550); 26 Mar 2019 10:02:28 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 11722 invoked from network); 26 Mar 2019 10:02:28 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=veera.biz; s=default; h=In-Reply-To:Content-Type:Mime-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=JIkCIor07DuYLjYF5QL5xeJV0V8yoN+cE6dSwcaeXk0=; b=IsxmUlbAXob+Nw/LReLSe8dufd rMQ6jsjCenQzR6uENVFYc2bbOd5mmgI153kZMdsMa1ujUn6Vc/GtYDko7Wcp51ty4rARL7IqvAW/n mHqbB2CeF70ExfKdZzo7Bg1kcOpfg8C4mF4vjsCvqF6LI/r06+gzHhBs7gV5jaRNEecLW+9Puk+Nj voavokNgLc4+a1+cOzuh1QcmVtUHo2Co3oB7YLckhN1cjL2u8Z8l9oXfoOqEVSZyiGkOp1arms5T3 5WewyetXoSb/FnwGXzYCOELGwgLTkCHn77HpKxxOlCB4YMZ8ThjOrYddc/qLGhHLUgsyDXI1T3KVL 5YNDPNAw==; Content-Disposition: inline In-Reply-To: <20190326025937.GW23599@brightrain.aerifal.cx> X-OutGoing-Spam-Status: No, score=-0.2 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - in-pun-ln-srv139.advancedserverdns.com X-AntiAbuse: Original Domain - lists.openwall.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - veera.biz X-Get-Message-Sender-Via: in-pun-ln-srv139.advancedserverdns.com: authenticated_id: vlse@veera.biz X-Authenticated-Sender: in-pun-ln-srv139.advancedserverdns.com: vlse@veera.biz Xref: news.gmane.org gmane.linux.lib.musl.general:14008 Archived-At: On Mon, Mar 25, 2019 at 10:59:37PM -0400, Rich Felker wrote: > On Tue, Mar 26, 2019 at 07:24:35AM +0530, vlse wrote: > > Hi, > > > > On Mon, Mar 25, 2019 at 09:37:06PM -0400, Rich Felker wrote: > > > On Mon, Mar 25, 2019 at 08:17:26PM -0500, A. Wilcox wrote: > > > > On 03/25/19 20:09, vlse wrote: > > > > > Hello, > > > > > > > > > > But for internet git access, either ssh or https smart protocol use > > > > > is necessary to prevent man in the middle attack. > > > > > > > > > > The request is reasonable. HTTPS is *not* "trivial to MITM", and > > > essentially impossible to do so without detection and a trail of > > > you can also verify authenticity of a git repo via "git fsck" and a > > > known good source of the commit hash (e.g. cgit over https). > > > > > > > Yes. cgit over https. We need a secure start first. > > > > > > > Please consider giving secure git access. Also smart http/s protocol > > > > > is way better than dumb protocol. It avoids downloading too much data > > > > > again and also shows progress and stats. > > > > > > > > > > Of course the git transport won't be taken away. I'd like to add https > > > support, but I'm not sure how to do it without a nasty bloated httpd > > > that would increase server resource requirements by 1-2 orders of > > > magnitude. If anyone knows a way to hook up thttpd to it, I'll give it > > > a try. > > > > Nginx is bloat free I think. But perhaps not in comparison to thttpd. > > I will look how to support cgit http/s with thttpd using a hook. > > > > At skarnet.org, the author is using busybox httpd with cgi support and > > cgit cgi hooks to give http/s git access. > > OK, that sounds promising. If it can be done with cgi, it should be > easy to setup, assuming the git client is forgiving of thttpd's > slightly non-conforming cgi behavior regarding headers. > > Rich Hi, On further enquiry I found that the latest cgit only supports dumb http protocol for cloning or fetch. But it has option to disable the http/s cloning support, so that another program can do it. Sorry, I was on the impression that skarnet was supporting git http/s smart protocol by using cgit itself. So we have to setup the git-http-backend provided with git-scm to work with web server cgi setup. Again the examples given at upstream site is with apache. So I am thinking of trying setting up thttpd with git-scm for support of http/s smart protocol locally in my linux machine. So I want to know the Source of thttpd your are running on git.musl-libc.org Version of thttpd Latest upstream version: https://acme.com/software/thttpd/thttpd-2.29.tar.gz Also I find you are providing https version of git.musl-libc.org site. thttpd does not supports https. Are you using stunnel for it? Let I may be of some help! Regards, Veera