Fetching from the git repositories over https?

classic Classic list List threaded Threaded
7 messages Options
Adam Plaice Adam Plaice
Reply | Threaded
Open this post in threaded view
|

Fetching from the git repositories over https?

I apologise if I'm asking in the wrong place.

Is it possible to clone/fetch from the notmuch git repositories
(particularly https://git.notmuchmail.org/git/notmuch) over https
rather than with the `git://' protocol?  (None of the likely
alternatives seem to work.)

If not, would it be inconvenient for this to be enabled, as an
option (if not the recommended one)?

Having such an option would be valuable for the purposes of MELPA and
MELPA stable (the Emacs package archives which provide an alternative,
slightly controversial, way of installing the Notmuch Emacs
interface).  Since the scripts that build the package archives fetch
from upstream sources (such as git://git.notmuchmail.org/git/notmuch)
automatically (without human oversight or code inspection) and the
`git://' protocol does not provide any authentication, there is
currently no guarantee that when the MELPA server tries to connect to
notmuchmail.org it's not actually being "Man-in-the-middled" by a
malicious third party.  As a result, it would be possible for such a
third party to introduce some changes to the Elisp code, that would
compromise the machines of any users who install the modified package.

Using https would raise the bar, from anybody who can hijack the
connection between MELPA and notmuchmail.org, to those who can compromise
the SSL certificate chain.

Thank you for your time and thank you for notmuch,
Adam
_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch
Daniel Kahn Gillmor Daniel Kahn Gillmor
Reply | Threaded
Open this post in threaded view
|

Re: Fetching from the git repositories over https?

Hi Adam--

On Sun 2018-01-28 17:26:08 +0000, Adam Plaice wrote:
> I apologise if I'm asking in the wrong place.
>
> Is it possible to clone/fetch from the notmuch git repositories
> (particularly https://git.notmuchmail.org/git/notmuch) over https
> rather than with the `git://' protocol?  (None of the likely
> alternatives seem to work.)

It's currently not possible to do that, but some maintenance work is
underway that might allow us to support it in the future.

I agree with you that https:// is probably a better transport than
git:// in 2018, regardless of what MELPA thinks :)

> Using https would raise the bar, from anybody who can hijack the
> connection between MELPA and notmuchmail.org, to those who can compromise
> the SSL certificate chain.

Whether we use https or not, MELPA should be relying on signed git tags
from known release managers of the upstream projects.

For notmuch, that would be David Bremner, openpgp key fingerprint
815B63982A79F8E7C72786C4762B57BB784206AD

If MELPA is relying only on HTTPS for source integrity, it's vulnerable
to any breakage in the HTTPS security model -- from malicious CAs to
cryptographic attacks against the TLS layer itself.

I agree with you that https:// is preferable to git://, but please
encourage MELPA to take the next step and properly verify the retrieved
source directly via OpenPGP.

Regards,

        --dkg

_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch

signature.asc (847 bytes) Download Attachment
Adam Plaice Adam Plaice
Reply | Threaded
Open this post in threaded view
|

Re: Fetching from the git repositories over https?

Hi Daniel,

Thanks very much for the reply.  I fully agree that the verifying of
git tags by MELPA would be valuable (and rather important from a
security perspective), and will bring it up.

BTW, is the GitHub mirror https://github.com/notmuch/notmuch/
mentioned in README.rst, semi-official in the sense of being likely to
be up to date?  If, yes, it could be used as a stopgap intermediary
"source" for MELPA, until https transport is possible with the main
notmuch repository or MELPA supports verifying signed git tags.

Thanks again,
Adam
_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch
Daniel Kahn Gillmor Daniel Kahn Gillmor
Reply | Threaded
Open this post in threaded view
|

Re: Fetching from the git repositories over https?

On Fri 2018-02-09 06:28:04 +0000, Adam Plaice wrote:
> Thanks very much for the reply.  I fully agree that the verifying of
> git tags by MELPA would be valuable (and rather important from a
> security perspective), and will bring it up.

Thanks for doing that!  If you need any backup in the discussion, or if
you think that your suggestion is not being taken as seriously as is
warranted, i'd be happy to try to help explain the issues to the MELPA
folks -- contact me directly offlist if you want to coordinate on this.

> BTW, is the GitHub mirror https://github.com/notmuch/notmuch/
> mentioned in README.rst, semi-official in the sense of being likely to
> be up to date?  If, yes, it could be used as a stopgap intermediary
> "source" for MELPA, until https transport is possible with the main
> notmuch repository or MELPA supports verifying signed git tags.

I think if you use the github mirror, you might just be pushing off
cleartext fetching to someone else, since that mirror appears to be
synced over http itself :/  I don't actually know who maintains that
mirror, and i don't know how to update where it syncs from...

However, Carl Worth (in Cc) just mentioned on IRC that he set up https
for the official notmuch repo!  So please use this URL:

   https://git.notmuchmail.org/git/notmuch

Thanks Carl! :)

All the best,

    --dkg

_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch

signature.asc (847 bytes) Download Attachment
Carl Worth-2 Carl Worth-2
Reply | Threaded
Open this post in threaded view
|

Re: Fetching from the git repositories over https?

In reply to this post by Adam Plaice
On Sun, Jan 28 2018, Adam Plaice wrote:
> I apologise if I'm asking in the wrong place.

Not at all. This is the right place.

> Is it possible to clone/fetch from the notmuch git repositories
> (particularly https://git.notmuchmail.org/git/notmuch) over https
> rather than with the `git://' protocol?  (None of the likely
> alternatives seem to work.)

It wasn't possible when you asked, but I just configured this, and it
seems to work.

Specifically, I have tested that I can point my browser at:

        https://git.notmuchmail.org/git/notmuch

to see the gitweb view of the git history on the web, and I can also use
that same URL for a git clone:

        git clone https://git.notmuchmail.org/git/notmuch

and that works.

I also verified that I a "git push" from such a clone results in a 403
error as desired.

So give that a try, and anyone, let me know if you see anything that I
may have broken or setup incorrectly.

Also, I haven't yet updated any documentation to point to this new
mechanism, so that's something that could still be done.

> Thank you for your time and thank you for notmuch,

You're quite welcome. And thank you for your contribution!

-Carl
_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch
Adam Plaice Adam Plaice
Reply | Threaded
Open this post in threaded view
|

Re: Fetching from the git repositories over https?

In reply to this post by Daniel Kahn Gillmor
> Thanks for doing that!  If you need any backup in the discussion, or if
> you think that your suggestion is not being taken as seriously as is
> warranted, i'd be happy to try to help explain the issues to the MELPA
> folks -- contact me directly offlist if you want to coordinate on this.

Thanks for the offer!  FWIW, I've opened an issue here:

https://github.com/melpa/melpa/issues/5294

> I think if you use the github mirror, you might just be pushing off
> cleartext fetching to someone else, since that mirror appears to be
> synced over http itself :/  I don't actually know who maintains that
> mirror, and i don't know how to update where it syncs from...

I had been hoping that the mirror was updated by a notmuch contributor
who had access to the main repository and could fetch the code over ssh,
though in any case this is now irrelevant.

> However, Carl Worth (in Cc) just mentioned on IRC that he set up https
> for the official notmuch repo!  So please use this URL:

>    https://git.notmuchmail.org/git/notmuch

> Thanks Carl! :)

That's brilliant. Thanks very much (and thanks Carl)!

Adam
_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch
Adam Plaice Adam Plaice
Reply | Threaded
Open this post in threaded view
|

Re: Fetching from the git repositories over https?

In reply to this post by Carl Worth-2
Thanks again very much for implementing this!

I've encountered no issues when cloning.

> Also, I haven't yet updated any documentation to point to this new
> mechanism, so that's something that could still be done.

Taken as a suggestion and done:
https://git.notmuchmail.org/git?p=notmuch-wiki;a=commitdiff;h=6b421471aaad8160981561c705dae1cbaa17702c;hp=591299b2f4b15f6ef7e8c308ead9c3a30b7c7563

I've left the instructions for the wiki, at
https://notmuchmail.org/wikiwriteaccess/
unchanged, as I'm not sure whether the push mechanism would work with the
https transport and don't want to experiment.  Also, MITM attacks aren't much
of a worry in this case...

Thank you for a very welcoming attitude,
Adam
_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch