Bug 89682

Summary: Please enable https on anongit.freedesktop.org
Product: freedesktop.org Reporter: Rebecca Palmer <rebecca_palmer>
Component: Version controlAssignee: fd.o Admin Massive <sitewranglers>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium CC: daniel, d-r, freedesktop
Version: unspecifiedKeywords: security
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 90915    

Description Rebecca Palmer 2015-03-19 18:27:37 UTC 
It is currently not possible to clone fd.o git repositories over https:

$ git clone https://anongit.freedesktop.org/git/beignet.git
Cloning into 'beignet'...
fatal: unable to access 'https://anongit.freedesktop.org/git/beignet.git/': Failed to connect to anongit.freedesktop.org port 443: Connection refused

Using http:// or git:// instead works, but as these are un-authenticated protocols, they are vulnerable to man-in-the-middle attack (= arbitrary code execution when the user builds/runs what they just cloned).

While any such attack will change the commit number, that doesn't help if one doesn't know what it should be (cgit.freedesktop.org isn't secure either), and I suspect most people won't bother to check anyway.
Comment 1 Dominik Röttsches 2015-11-25 07:29:02 UTC 
Same for http://www.freedesktop.org/software/ - the release files offered there should be served over https.
Comment 2 Simon McVittie 2016-02-08 14:11:12 UTC 
(In reply to Rebecca Palmer from comment #0)
> It is currently not possible to clone fd.o git repositories over https

HTTPS seems to have been added, and my browser is happy with its validity, but git/wget aren't. Is there a missing intermediate certificate in the cert chain, perhaps?

(In reply to Dominik Röttsches from comment #1)
> Same for http://www.freedesktop.org/software/ - the release files offered
> there should be served over https.

That redirect seems to have been added now.

See also Bug #90915 (download.fd.o) and Bug #94046 (broken http -> https redirects for projects like dbus that have their own subdomains).
Comment 3 Daniel Stone 2016-03-29 11:28:56 UTC 
(In reply to Simon McVittie from comment #2)
> (In reply to Rebecca Palmer from comment #0)
> > It is currently not possible to clone fd.o git repositories over https
> 
> HTTPS seems to have been added, and my browser is happy with its validity,
> but git/wget aren't. Is there a missing intermediate certificate in the cert
> chain, perhaps?

Both git and wget are perfectly happy here, and I've not manually installed any certificates; is this still happening for you?
Comment 4 Rebecca Palmer 2016-03-29 21:23:10 UTC 
'git pull' (from https://anongit.freedesktop.org/git/beignet.git) and the web interface (https://cgit.freedesktop.org/beignet/tree/) now work for me (Debian 8), but the above suggests they might not for everyone.
Comment 5 Daniel Stone 2016-04-01 10:28:12 UTC 
Perhaps it was a transient problem; I've tried on Fedora, Debian, Ubuntu, and iOS with no problems. I'll close this for now, and can reopen if it still happens for someone.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.