Page MenuHome GnuPG

git access via https fails
Closed, ResolvedPublic

Description

Since T2744 was fixed, https://git.gnupg.org/ suggests you can use https to
access the git repos, e.g.

git clone https://git.gnupg.org/gnupg.git

This returns http error 503 for me. Using the unencrypted git: protocol works fine.

Should cloning via https work?

Event Timeline

It is simply not implemented, yet. We need to do this of course instead of
fixing the website.

I looked into this. Pound is configured to relay these requests to
127.0.0.2:80, but no backend listens there. git http-backend can serve these
requests, is a cgi program and thus needs a webserver to run.

https://git-scm.com/docs/git-http-backend

I believe we could setup another instance of boa for the purpose of running it.

Werner, if you agree to that plan I could give it a shot.

Yes, please do. Look at trithemius so see how to run several boa instances.
You really need to give the binary another name.

[I'm doing s@://@: / /@g so that roundup does not complain about this message
having too many links.]

So I did that. There are two problems:

1/ We advertise URLs of the form 'https: / /git.gnupg.org/foo.git', but this URL
contains only the name of the repository as the path. In boa, I need to specify
a non-empty path in the ScriptAlias directive for the path to CGIs, and then the
script itself also needs a non-empty name. Neither pound nor boa seem to have
path-rewriting functionality, so I don't see how we can serve a git repository
using the 'git-http-backend' CGI this way (w/o patching boa that is).

I decided to be pragmatic about it (at least for the moment) and go for URLs of
the form 'https: / /git.gnupg.org/g/it/foo.git', so I can use 'ScriptAlias /g
...', and use 'it' for the script name. However:

2/ Something is fishy with the TLS setup:

% git clone https: / /git.gnupg.org/g/it/ntbtls.git
Cloning into 'ntbtls'...
fatal: unable to access 'https: / /git.gnupg.org/g/it/ntbtls.git/': GnuTLS recv
error (-110): The TLS connection was non-properly terminated.
% wget -O - --tries=1
https: / /git.gnupg.org/g/it/ntbtls.git/info/refs?service=git-upload-pack
--2017-03-16 17:34:02--
https: / /git.gnupg.org/g/it/ntbtls.git/info/refs?service=git-upload-pack
Resolving git.gnupg.org (git.gnupg.org)... 217.69.76.56, 2001:aa8:fff1:2100::56
Connecting to git.gnupg.org (git.gnupg.org)|217.69.76.56|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-git-upload-pack-advertisement]
Saving to: ‘STDOUT’

  • [<=> ] 0 --.-KB/s 001e# service=git-upload-pack

000000d506bb9a836981e48c2e6939fb21480d97253a4588 HEADmulti_ack thin-pack
side-band side-band-64k ofs-delta shallow no-progress include-tag
multi_ack_detailed no-done symref=HEAD:refs/heads/master agent=git/2.8.0.rc3
003f06bb9a836981e48c2e6939fb21480d97253a4588 refs/heads/master
00449fb1c710e821f27ac7039c2b3bdd584ccc6012e6 refs/tags/ntbtls-0.1.0
004750ad7a2206bac7682195e8285af96e0d790891b3 refs/tags/ntbtls-0.1.0^{}
00449b970fc16d5c257651c9377ec97fb255d2425583 refs/tags/ntbtls-0.1.1
00475de470fbeb7b6d92070206414d130dfb53d96e69 refs/tags/ntbtls-0.1.1^{}

  • [ <=> ] 592 --.-KB/s in 0.003s

2017-03-16 17:34:02 (214 KB/s) - Read error at byte 592 (The TLS connection was
non-properly terminated.).Giving up.

phabricator already mirrors these repositories, and the mirrors are accessible via https, e.g. https://dev.gnupg.org/source/gnupg.git
How about just pointing to these and leave git.gnupg.org git-only?

In T2844#96255, @marcus wrote:

phabricator already mirrors these repositories, and the mirrors are accessible via https, e.g. https://dev.gnupg.org/source/gnupg.git
How about just pointing to these and leave git.gnupg.org git-only?

I did just that.