It would be great to have a secure option when cloning git repositories anonymously.
Even better would be to use the same url everywhere (as on GitHub).
The docs page at http://sourceforge.net/p/forge/documentation/Git/ also needs to be updated (RW and RO sections), because it isn't clear what password to use for authenticated https access, and unauthenticated ssh clearly won't work.
Hi, this seems a feature request to me.
What does it mean "It would be great to have a secure option when cloning git repositories anonymously."?
Here a random project git page (PDFedit), the recommended clone command is:
git check the files
so git itself checks for files corruption.
What kind of security do you need?
Are you talking about sf.net and sourceforge.net? /p/ and /projects/ in URLs?
They should be intercheangable.
Your SourceForge account password.
Under 'Accessing the repository via the shell' you can read:
In the linked SSH page you can read
anyway you are right: documentation needs to be updated.
In this case the SSH page needs a table of contents and it would be better if the Git page will link this URL fragment in that page.
Related
Documentation: SSH
Last edit: Zangune 2015-08-18
Ticket moved from /p/forge/site-support/9216/
Can't be converted:
-removed by author-
Last edit: Anonymous 2015-06-04
Based on the recent history of RCEs in git (CVE-2015-7545, CVE-2016-2324, CVE-2016‑2315) I believe it is absolutely imperative for Sourceforge to implement a secure anonymous channel to protect users from malicious traffic injection during clone/fetch.
I just discovered SF doesn't support anonymous encrypted git checkouts. Please add this, there are a variety of attacks where lack of encryption is a problem.
I would say this is a plain bug. The current documentation at [1] says
The last statement is wrong: an anonymous link like [2] doesn't work, it prompts for a password.
The importance of this bug is highlighted by the fact that standard Debian packaging tools warns about using anonymous git urls (the only viable option today) for retreiving code [3]
[1] https://sourceforge.net/p/forge/documentation/Git/
[2] https://git.code.sf.net/p/lirc/git
[3] https://mentors.debian.net/package/lirc
Last edit: Alec Leamas 2016-05-17
I also consider this a bug, rather than just a feature-request; both in the documention (in that attempting to clone a 'https://git-code.sf.net/p/PROJECTNAME/REPOSITORY/ URI results in a prompt for a 'Username') and in that the capability itself for a secure anonymous access to a git respository does not appear to be present.
This now appears to have been fixed (https read access now works without a password).