NetBSD Problem Report #58323
From www@netbsd.org Sat Jun 8 16:58:54 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 601CB1A923A
for <gnats-bugs@gnats.NetBSD.org>; Sat, 8 Jun 2024 16:58:54 +0000 (UTC)
Message-Id: <20240608165853.099571A923C@mollari.NetBSD.org>
Date: Sat, 8 Jun 2024 16:58:52 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: pkgsrc-wip lacks server-authenticated, client-anonymous access method
X-Send-Pr-Version: www-1.0
>Number: 58323
>Category: pkg
>Synopsis: pkgsrc-wip lacks server-authenticated, client-anonymous access method
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Jun 08 17:00:00 +0000 2024
>Last-Modified: Mon Jun 10 11:25:00 +0000 2024
>Originator: Taylor R Campbell
>Release:
>Organization:
The pkgsrc wipation
>Environment:
>Description:
According to https://pkgsrc.org/wip/, you can get wip either via:
- git clone git://wip.pkgsrc.org/pkgsrc-wip.git wip, for anonymous clients, which doesn't authenticate the server, so exposes people to MITM attacks on the network; or
- signing up to contribute and then git clone username@wip.pkgsrc.org:/pkgsrc-wip.git wip, which does authenticate the server, but requires users to identify themselves to the server first.
There is also a browsable gitweb instance at https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=summary but I don't see a way to git clone out of it.
pkgsrc-wip should also be available via https, so that anyone can get wip without identifying themselves up front to set up an account.
>How-To-Repeat:
try to use pkgsrc-wip without an account
>Fix:
1. Configure the httpd to run git-http-backend out of /pkgsrc-wip.git (may require teaching bozohttpd about chunked input, or may require running nginx or apache2 or something instead to handle that).
2. Alternatively: expose an anonymous ssh method, like we do for anoncvs (may require some more engineering work to do this safely).
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: pkg-manager->wiz
Responsible-Changed-By: bsiegert@NetBSD.org
Responsible-Changed-When: Sat, 08 Jun 2024 19:34:58 +0000
Responsible-Changed-Why:
Thomas manages pkgsrc-wip
Responsible-Changed-From-To: wiz->pkg-manager
Responsible-Changed-By: wiz@NetBSD.org
Responsible-Changed-When: Sat, 08 Jun 2024 19:51:06 +0000
Responsible-Changed-Why:
Ask me for access if you want to handle this.
From: Taylor R Campbell <riastradh@NetBSD.org>
To: wiz@NetBSD.org
Cc: pkg-manager@NetBSD.org, wiz@NetBSD.org, pkgsrc-bugs@NetBSD.org,
gnats-admin@NetBSD.org, gnats-bugs@NetBSD.org
Subject: Re: pkg/58323 (pkgsrc-wip lacks server-authenticated, client-anonymous access method)
Date: Mon, 10 Jun 2024 11:21:51 +0000
> Date: Sat, 8 Jun 2024 19:51:07 +0000 (UTC)
> From: wiz@NetBSD.org
>
> Ask me for access if you want to handle this.
I have access, can take a look in a bit, just wanted to have a ticket
filed to record the state of affairs and to coordinate who's messing
with it.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.