Bug 89682 - Please enable https on anongit.freedesktop.org
Summary: Please enable https on anongit.freedesktop.org
Status: RESOLVED FIXED
Alias: None
Product: freedesktop.org
Classification: Unclassified
Component: Version control (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: fd.o Admin Massive
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks: 90915
  Show dependency treegraph
 
Reported: 2015-03-19 18:27 UTC by Rebecca Palmer
Modified: 2016-04-01 10:28 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:

Attachments

Description Rebecca Palmer 2015-03-19 18:27:37 UTC 
It is currently not possible to clone fd.o git repositories over https:

$ git clone https://anongit.freedesktop.org/git/beignet.git
Cloning into 'beignet'...
fatal: unable to access 'https://anongit.freedesktop.org/git/beignet.git/': Failed to connect to anongit.freedesktop.org port 443: Connection refused

Using http:// or git:// instead works, but as these are un-authenticated protocols, they are vulnerable to man-in-the-middle attack (= arbitrary code execution when the user builds/runs what they just cloned).

While any such attack will change the commit number, that doesn't help if one doesn't know what it should be (cgit.freedesktop.org isn't secure either), and I suspect most people won't bother to check anyway.
Comment 1 Dominik Röttsches 2015-11-25 07:29:02 UTC 
Same for http://www.freedesktop.org/software/ - the release files offered there should be served over https.
Comment 2 Simon McVittie 2016-02-08 14:11:12 UTC 
(In reply to Rebecca Palmer from comment #0)
> It is currently not possible to clone fd.o git repositories over https

HTTPS seems to have been added, and my browser is happy with its validity, but git/wget aren't. Is there a missing intermediate certificate in the cert chain, perhaps?

(In reply to Dominik Röttsches from comment #1)
> Same for http://www.freedesktop.org/software/ - the release files offered
> there should be served over https.

That redirect seems to have been added now.

See also Bug #90915 (download.fd.o) and Bug #94046 (broken http -> https redirects for projects like dbus that have their own subdomains).
Comment 3 Daniel Stone 2016-03-29 11:28:56 UTC 
(In reply to Simon McVittie from comment #2)
> (In reply to Rebecca Palmer from comment #0)
> > It is currently not possible to clone fd.o git repositories over https
> 
> HTTPS seems to have been added, and my browser is happy with its validity,
> but git/wget aren't. Is there a missing intermediate certificate in the cert
> chain, perhaps?

Both git and wget are perfectly happy here, and I've not manually installed any certificates; is this still happening for you?
Comment 4 Rebecca Palmer 2016-03-29 21:23:10 UTC 
'git pull' (from https://anongit.freedesktop.org/git/beignet.git) and the web interface (https://cgit.freedesktop.org/beignet/tree/) now work for me (Debian 8), but the above suggests they might not for everyone.
Comment 5 Daniel Stone 2016-04-01 10:28:12 UTC 
Perhaps it was a transient problem; I've tried on Fedora, Debian, Ubuntu, and iOS with no problems. I'll close this for now, and can reopen if it still happens for someone.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.