398858 – kdesrc-build should use HTTPS instead of SSH for anonymous git clones

Bug 398858 - kdesrc-build should use HTTPS instead of SSH for anonymous git clones

Summary: kdesrc-build should use HTTPS instead of SSH for anonymous git clones

Status:	RESOLVED FIXED

Alias:	None

Product:	kdesrc-build
Classification:	Developer tools
Component:	general (show other bugs)
Version:	Git
Platform:	Other Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Michael Pyne

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-09-20 07:25 UTC by jm.ouwerkerk
Modified:	2024-05-10 09:16 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:	https://invent.kde.org/sdk/kdesrc-build/-/commit/96093c4fead6ea56dd037335786fd31e6459d255
Version Fixed In:	18.09
Sentry Crash Report:

Attachments
Patch to use HTTPS instead of SSH (git format-patch) (3.65 KB, patch) 2018-09-20 07:25 UTC, jm.ouwerkerk	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description jm.ouwerkerk 2018-09-20 07:25:56 UTC

Created attachment 115113 [details]
Patch to use HTTPS instead of SSH (git format-patch)

I think kdesrc-build should use HTTPS instead of SSH for the anonymous git clones for a number of reasons:

 - It is more likely to work when behind a firewall/proxy.
 - We hint at this issue and recommend HTTPS over SSH for that particular case in our wiki guideline/howto as well: https://community.kde.org/Guidelines_and_HOWTOs/Build_from_source#Git_remote_prefix
 - Installing git does not automatically imply installing an ssh client, that is: if you set up a minimal distro with git + subversion + bzr you'll find kdesrc-build won't work out of the box.
 - kdesrc-build must trust the kde git server unconditionally; with HTTPS you still get some certificate validation
 - Related to that: if I understand kdesrc-build correctly here, this would also imply that SSH would break if anongit.kde.org was moved to a different server with a different SSH key. With HTTPS/certificates this is not an issue.

A patch is attached to move kdesrc-build to HTTPS (git format-patch).

Comment 1 Nate Graham 2018-09-22 21:07:32 UTC

Thanks for the patch! Sadly patches in bugs tend to get missed. Can you please upload it to phabricator.kde.org so we can do code review and land it once accepted? Thanks! See the documentation at https://community.kde.org/Infrastructure/Phabricator

Comment 2 Michael Pyne 2018-09-23 00:22:22 UTC

Git commit 01888c0bb3800b3dcbd673cdd8b4ab01807dcf6a by Michael Pyne.
Committed on 23/09/2018 at 00:21.
Pushed by mpyne into branch 'master'.

git: Remove old kde: alias if installed.

Git should actually Do the Right Thing if the old git:// alias is
installed with the https:// one (the longest match wins). But it's still
better to clean up after ourselves.

M  +12   -0    modules/ksb/Updater/Git.pm

https://commits.kde.org/kdesrc-build/01888c0bb3800b3dcbd673cdd8b4ab01807dcf6a

Comment 3 Michael Pyne 2018-09-23 00:24:31 UTC

Hmm, I'd added the magic "close the bug" tag on Johan's commit but I forget he needs to be a dev for that to actually work. Closing manually, a separate patch review won't be needed, this was committed as 2c09ca0d8bc469d9860fc293b3e1eae2814dd4cb

Comment 4 Michael Pyne 2024-05-10 09:16:42 UTC

Git commit 96093c4fead6ea56dd037335786fd31e6459d255 by Michael Pyne, on behalf of Johan Ouwerkerk.
Committed on 23/09/2018 at 00:21.
Pushed by ashark into branch 'docbook_historied_per_file'.

Use HTTPS instead of Git protocol as default git transport.

With this change, users of kdesrc-build have better protection from man
in the middle attacks on source code transfers by default without having
to switch to SSH-tunneled Git protocol.
FIXED-IN:18.09

Original commit: 2c09ca0d
https://invent.kde.org/sdk/kdesrc-build/-/commit/2c09ca0d8bc469d9860fc293b3e1eae2814dd4cb

M  +1    -1    doc/getting-started/before-building.docbook

https://invent.kde.org/sdk/kdesrc-build/-/commit/96093c4fead6ea56dd037335786fd31e6459d255