From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/14000 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: "A. Wilcox" Newsgroups: gmane.linux.lib.musl.general Subject: Re: Supporting git access via smart HTTPS protocol for musl-libc Date: Mon, 25 Mar 2019 20:17:26 -0500 Organization: =?UTF-8?Q?Ad=c3=a9lie_Linux?= Message-ID: <397c5906-090a-460e-7ea8-8f9248e0be59@adelielinux.org> References: <20190324103306.GB1830@localhost> <20190326003411.GC1872@localhost> <20190326010933.GC3713@localhost> Reply-To: musl@lists.openwall.com Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="5LMaVJ3yn8IisDzVcUJV2hjincBNZMjFJ" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="53320"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Mozilla/5.0 (X11; Linux ppc64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 To: musl@lists.openwall.com Original-X-From: musl-return-14016-gllmg-musl=m.gmane.org@lists.openwall.com Tue Mar 26 02:16:43 2019 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by blaine.gmane.org with smtp (Exim 4.89) (envelope-from ) id 1h8ahl-000DjZ-DX for gllmg-musl@m.gmane.org; Tue, 26 Mar 2019 02:16:41 +0100 Original-Received: (qmail 30188 invoked by uid 550); 26 Mar 2019 01:16:39 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 30170 invoked from network); 26 Mar 2019 01:16:38 -0000 Openpgp: preference=signencrypt In-Reply-To: <20190326010933.GC3713@localhost> Xref: news.gmane.org gmane.linux.lib.musl.general:14000 Archived-At: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --5LMaVJ3yn8IisDzVcUJV2hjincBNZMjFJ Content-Type: multipart/mixed; boundary="cOMQTDuqaMCDUqdiR0ldkqI7JfOzUggHp"; protected-headers="v1" From: "A. Wilcox" To: musl@lists.openwall.com Message-ID: <397c5906-090a-460e-7ea8-8f9248e0be59@adelielinux.org> Subject: Re: [musl] Supporting git access via smart HTTPS protocol for musl-libc References: <20190324103306.GB1830@localhost> <20190326003411.GC1872@localhost> <20190326010933.GC3713@localhost> In-Reply-To: <20190326010933.GC3713@localhost> --cOMQTDuqaMCDUqdiR0ldkqI7JfOzUggHp Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 03/25/19 20:09, vlse wrote: > Hello, >=20 > Would musl-libc support git access via smart HTTPS protocol. > As git man page says as well as stackoverflow site that using git proto= col > is fine for lan operations. > But for internet git access, either ssh or https smart protocol use > is necessary to prevent man in the middle attack. This is more an argument for signing commits so that they are cryptographically provable. HTTPS is trivial to MITM, especially for the kind of actors that would care enough to MITM musl at all. Threat models, people. > Please consider giving secure git access. Also smart http/s protocol > is way better than dumb protocol. It avoids downloading too much data > again and also shows progress and stats. There is absolutely no difference in transmitted data between the Git protocol and the HTTP Git transport, other than the useless overhead of HTTP messages, which actually skews favour towards the Git protocol. Also, the Git protocol is in my experience much much faster. The Git transport definitely can show progress and stats, the same as the HTTP transport: awilcox on gwyn [pts/18 Mon 25 20:13] ~: git clone git://git.musl-libc.org/musl Cloning into 'musl'... remote: Counting objects: 31396, done. remote: Compressing objects: 100% (12589/12589), done. remote: Total 31396 (delta 22605), reused 25698 (delta 18440) Receiving objects: 100% (31396/31396), 4.77 MiB | 3.17 MiB/s, done. Resolving deltas: 100% (22605/22605), done. (It did show the progress as it was downloading, but since I am on a fairly fast link, I couldn't copy it.) Personally I would be okay with musl offering an HTTP(S) transport as an option, but please do not take away the Git transport. It is much faster in my experience. Every second wasted on stupid HTTP traffic is a second of my life I can't get back. --arw --=20 A. Wilcox (awilfox) Project Lead, Ad=C3=A9lie Linux https://www.adelielinux.org --cOMQTDuqaMCDUqdiR0ldkqI7JfOzUggHp-- --5LMaVJ3yn8IisDzVcUJV2hjincBNZMjFJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEjNyWOYPU1SaTSMHHyynLUZIrnRQFAlyZfaYACgkQyynLUZIr nRRj4Q//bK7vvcOAknYbPZYfG2zQjVDU4yCDUK3vGPFfHQaJ9s30DeWLYx8foIf0 rMWZqwjiM6NH0+fKuSTF7ooBnjwUGvz1zcUGLbt2J+BDREKEao2mvDyPaR8Ry+5O dl1HcEOXsQOYpCL9sgS9KIF6ZtZLd4ZM2KG+eKknc5jl8rNORsEqfQGfic1YaYnO F3+ymRYtR4aTXHcLkXATsYFd2NP4vjLkfBbUMZTQHM91kDZaJrk3U08xjKQ1Ggs2 hQFolCfMCRWlpFXhBGdl7UGqTyECfzf156yxds6+0j3Vr3rJ83JF912kBVO+KIfJ oq/GXmUl51Ym/lP+AQDRaXs3GTZLVm0/kvSB7wW50ZvhJMVM/0cNKv7NxOrhsx5G 6kNJrEvsFpFTpI9dZJG8sJmrfZT7ws+Cox7XQw/hNuMJOF/mWXLKYZStnRVUgt68 xaqJl+4ofSBwqygNPc6m6knR1i3ollOYbnZl9nYiZyR8M/CBTVngODGziYgoEG/U kuF/vdYVYvj0yTjC+YhsvFsIVZ9fwWmX4L6aSomPP23d83Mt65GGOuB7yDZKgqfZ 7iBtMZymzBIwruQ6rRLoj2ltko1VpdZ2ARMEqc4CrcOekmKtKlkTDLyqhnPCgW8Z rp1Dm/GaeTkpjYCdkTxoC42brjlxT82iGynAjHE18v9rchsAvRE= =DBg7 -----END PGP SIGNATURE----- --5LMaVJ3yn8IisDzVcUJV2hjincBNZMjFJ--