NetBSD Problem Report #58323

From www@netbsd.org  Sat Jun  8 16:58:54 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 601CB1A923A
	for <gnats-bugs@gnats.NetBSD.org>; Sat,  8 Jun 2024 16:58:54 +0000 (UTC)
Message-Id: <20240608165853.099571A923C@mollari.NetBSD.org>
Date: Sat,  8 Jun 2024 16:58:52 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: pkgsrc-wip lacks server-authenticated, client-anonymous access method
X-Send-Pr-Version: www-1.0

>Number:         58323
>Category:       pkg
>Synopsis:       pkgsrc-wip lacks server-authenticated, client-anonymous access method
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jun 08 17:00:00 +0000 2024
>Last-Modified:  Mon Jun 10 11:25:00 +0000 2024
>Originator:     Taylor R Campbell
>Release:        
>Organization:
The pkgsrc wipation
>Environment:
>Description:
According to https://pkgsrc.org/wip/, you can get wip either via:

- git clone git://wip.pkgsrc.org/pkgsrc-wip.git wip, for anonymous clients, which doesn't authenticate the server, so exposes people to MITM attacks on the network; or

- signing up to contribute and then git clone username@wip.pkgsrc.org:/pkgsrc-wip.git wip, which does authenticate the server, but requires users to identify themselves to the server first.

There is also a browsable gitweb instance at https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=summary but I don't see a way to git clone out of it.

pkgsrc-wip should also be available via https, so that anyone can get wip without identifying themselves up front to set up an account.
>How-To-Repeat:
try to use pkgsrc-wip without an account
>Fix:
1. Configure the httpd to run git-http-backend out of /pkgsrc-wip.git (may require teaching bozohttpd about chunked input, or may require running nginx or apache2 or something instead to handle that).

2. Alternatively: expose an anonymous ssh method, like we do for anoncvs (may require some more engineering work to do this safely).

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: pkg-manager->wiz
Responsible-Changed-By: bsiegert@NetBSD.org
Responsible-Changed-When: Sat, 08 Jun 2024 19:34:58 +0000
Responsible-Changed-Why:
Thomas manages pkgsrc-wip


Responsible-Changed-From-To: wiz->pkg-manager
Responsible-Changed-By: wiz@NetBSD.org
Responsible-Changed-When: Sat, 08 Jun 2024 19:51:06 +0000
Responsible-Changed-Why:
Ask me for access if you want to handle this.


From: Taylor R Campbell <riastradh@NetBSD.org>
To: wiz@NetBSD.org
Cc: pkg-manager@NetBSD.org, wiz@NetBSD.org, pkgsrc-bugs@NetBSD.org,
	gnats-admin@NetBSD.org, gnats-bugs@NetBSD.org
Subject: Re: pkg/58323 (pkgsrc-wip lacks server-authenticated, client-anonymous access method)
Date: Mon, 10 Jun 2024 11:21:51 +0000

 > Date: Sat,  8 Jun 2024 19:51:07 +0000 (UTC)
 > From: wiz@NetBSD.org
 > 
 > Ask me for access if you want to handle this.

 I have access, can take a look in a bit, just wanted to have a ticket
 filed to record the state of affairs and to coordinate who's messing
 with it.

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.