[cfarm-users] Unable to git pull on gcc112

Jacob Bachmeyer jcb62281 at gmail.com
Fri Apr 1 04:24:20 CEST 2022


Vincent Lefevre via cfarm-users wrote:
> On 2022-03-30 18:52:23 -0500, Jacob Bachmeyer via cfarm-users wrote:
>   
>> Vincent Lefevre via cfarm-users wrote:
>>     
>>> On 2022-03-29 22:01:26 -0500, Jacob Bachmeyer via cfarm-users wrote:
>>>       
>>>> Jeffrey Walton via cfarm-users wrote:
>>>>         
>>>>> When I try git://github.com/weidai11/cryptopp/:
>>>>>
>>>>> $ git pull
>>>>> fatal: remote error:
>>>>>  The unauthenticated git protocol on port 9418 is no longer supported.
>>>>>           
>>>> While this does not help you, the root of this latter problem seems to be
>>>> that GitHub has decided to deliberately break compatibility with one of
>>>> Git's standard features using "security" as an excuse.  This is, of course,
>>>> ridiculous for public repositories, since public repositories are, well,
>>>> public.
>>>>         
>>> Even though they are public, you still need to have a way to
>>> authenticate the host to ensure that you will not connect to
>>> a fake server (in particular with "git clone").
>>>       
>
> Actually an attack is also possible for "git pull".
>   

Yes, but the solution is the same:  review the code/changes in your 
local repository, then make sure the commit IDs match at the farm.

Failing to review changes from upstream is how the recent node-ipc 
incident did damage.  (Of course, about no one actually does fully 
review patches pulled from upstream, which is why those violations of 
trust do so much damage...)

>> Easily solved by checking the HEAD commit against a known-good ID; either
>> the origin tracking branch in your local copy, or as I have done in the past
>> with GitHub, by looking at the (HTTPS) Web page.  If those IDs match, you
>> have the correct data, with overwhelming probability.  If they do not match,
>> find the differences and you have just caught an attacker in the act.
>>     
>
> AFAIK, this also needs to be done for every branch that will
> potentially be used.
>   

Yes, but for cfarm that should not be a problem, since you should be 
comparing against your local copy.  Also, most of the repositories I 
have used from GitHub have few branches, often only the default "master" 
(now often renamed "main" in a fit of slacktivist stupidity) so these 
checks are usually trivial.  Generally, I avoid GitHub; they get a very 
solid "F" on the FSF's rating scale because the site does not work 
without running nonfree JavaScript, and I make heavy use of NoScript as 
part of my general security policy.

This may actually be another workaround:  keep local copies of 
repositories that you use and push from those to the farm.  Then you 
never need to pull from GitHub on the farm machines, only from your farm 
mirrors, which you update via SSH "git push" from your own machine.  Git 
clones on the same filesystem use hardlinks to share the actual object 
pool, so there is minimal overhead with this setup.

> Most users will not do such checks, so it's quite understandable
> that GitHub disabled an insecure protocol. Nowadays, I don't see
> the point of not using a secure protocol.

Security is always a trade-off and is never entirely without costs.  I 
stand by my original position that GitHub removing choice from the user 
here is bad and wrong.  Rightly, it is up to you to balance risk vs. 
effort to mitigate same as they apply to _your_ situation.

There are also possibilities of attacks effective against HTTP(S) that 
cannot work against other other protocols.  At least one example is 
known.  "Man on the Side" exploits the option of returning a redirect in 
HTTP by racing origin server latency.  A similar attack _may_ be 
possible on HTTPS, if the attacker can complete a TLS negotiation before 
the first origin server reply arrives.  Similar attacks are definitely 
_not_ possible on FTP and the 9418 Git protocol, which do not allow 
servers to refer clients to other servers.  Against this particular type 
of attack, therefore, those plaintext protocols may offer _greater_ 
security than the encrypted HTTPS.


-- Jacob



More information about the cfarm-users mailing list