Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add git:// protocol check #10261

Merged
merged 5 commits into from
Aug 20, 2024
Merged

Add git:// protocol check #10261

merged 5 commits into from
Aug 20, 2024

Conversation

ffaf1
Copy link
Collaborator

@ffaf1 ffaf1 commented Aug 17, 2024

Include the following checklist in your PR:

  • Patches conform to the coding conventions.
  • Any changes that could be relevant to users have been recorded in the changelog.
  • The documentation has been updated, if necessary.
  • Manual QA notes have been included.
  • Tests have been added. (Ask for help if you don’t know how to write them! Ask for an exemption if tests are too complex for too little coverage!)

Manual QA

  1. Go to a local cabal package that has a source-repository stanza.
  2. In location: substitute https:// (or what you have) with git://.
  3. New cabal should display a git:// is not secure warning.

ffaf1 added a commit to ffaf1/cabal that referenced this pull request Aug 17, 2024
@ffaf1
Add changelog for haskell#10261
ae7ef39
@ffaf1 ffaf1 force-pushed the git-protocol-check branch from 941574d to ae7ef39 Compare August 17, 2024 14:17
@ffaf1
Copy link
Collaborator Author

ffaf1 commented Aug 17, 2024

Review ready.

Note:

  1. “Hackage would reject this package”; and
  2. the suggestion to use https:// or ssh:// instead (should we push something else?).

@ffaf1 ffaf1 added the attention: needs-manual-qa PR is destined for manual QA label Aug 17, 2024
ulysses4ever
ulysses4ever approved these changes Aug 17, 2024
View reviewed changes
Copy link
Collaborator

@ulysses4ever ulysses4ever left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd expect it to say something about "popular platforms, like GitHub, don't support it" but maybe it's too much detail...

@ffaf1 ffaf1 added merge me Tell Mergify Bot to merge and removed attention: needs-review labels Aug 17, 2024
@Kleidukos
Copy link
Member

I'd expect it to say something about "popular platforms, like GitHub, don't support it" but maybe it's too much detail...

We can absolutely check that it's git://github.com and display something specific to GitHub

@ffaf1
Copy link
Collaborator Author

ffaf1 commented Aug 18, 2024

We can absolutely check that it's git://github.com and display something specific to GitHub.

I left the warning vague (“Furthermore, popular forges like GitHub do not support it.”) and general (displayed always) because I other platforms choke on git://, e.g. GHC GitLab.

Shall the message be more generic? Shall we tailor the “Furthermore” to specific forges?

@ulysses4ever
Copy link
Collaborator

I think the current version is the perfect balance between specific and general. I am not a fan of making the code more complex than it needs to be to analyze the URI and tailor the message to the specific platform dynamically.

@ffaf1 ffaf1 changed the title Git protocol check Add git:// protocol check Aug 18, 2024
@mpickering
Copy link
Collaborator

There are many packages on hackage which use git:// for the source repo.

Perhaps it's worth considering a softer migration so that uploads of new versions of these packages are not blocked? I'm not sure on this one but wanted to point out it could affect a lot of users.

@ffaf1
Copy link
Collaborator Author

ffaf1 commented Aug 19, 2024

Perhaps it's worth considering a softer migration so that uploads of new versions of these packages are not blocked? I'm not sure on this one but wanted to point out it could affect a lot of users.

I believe with a changelog entry and the possibility of running cabal check locally, we are fine from a UX perspective.

Also let's keep in mind that first this will land in cabal, and after a while in Hackage, so it will take some time before Hackage refuse such packages, if users run cabal check now and then — they should! — they will get the message.

From the relevant Git Book section (which Brandon provided), there seems to be no sensible reason to still use git://, so downgrading this to a mere warning feels wrong.

@mpickering
Copy link
Collaborator

Perhaps it's worth considering a softer migration so that uploads of new versions of these packages are not blocked? I'm not sure on this one but wanted to point out it could affect a lot of users.

I believe with a changelog entry and the possibility of running cabal check locally, we are fine from a UX perspective.

Also let's keep in mind that first this will land in cabal, and after a while in Hackage, so it will take some time before Hackage refuse such packages, if users run cabal check now and then — they should! — they will get the message.

From the relevant Git Book section (which Brandon provided), there seems to be no sensible reason to still use git://, so downgrading this to a mere warning feels wrong.

Sounds good!

@mouse07410
Copy link
Collaborator

Please remind me - what is the problem this PR is supposed to fix?

And why is it wrong to reduce the level to "warning"?

@mpickering
Copy link
Collaborator

@mouse07410 The issue which was reported is that many of the source repository links on hackage are dead as they use the git:// protocol with github links. This means that cabal get -s doesn't work reliably.

So this PR doesn't fix that issue directly but would achieve something similar (getting people to update their links to https variants).

@mouse07410
Copy link
Collaborator

A lot of my repos are addressed via ssh://github.com/...... Is this PR going to force them to https://?

@ffaf1
Copy link
Collaborator Author

ffaf1 commented Aug 19, 2024

A lot of my repos are addressed via ssh://github.com/...... Is this PR going to force them to https://?

No, just to avoid git://….

@Kleidukos
Copy link
Member

@mouse07410 On the contrary you are using the SSH protocol which is good! Could you perhaps take a look at the suggested message in this PR and tell us if it could have been phrased better?

@geekosaur
Copy link
Collaborator

geekosaur commented Aug 19, 2024
edited
Loading

Specifically, any URL using git://github.com/… has failed to connect since 2021, so is useless. [ssh:][email protected]/… is the GitHub-recommended alternative. (Note that you can't push to https: URLs; you must use ssh.)

@mouse07410
Copy link
Collaborator

@mouse07410 On the contrary you are using the SSH protocol which is good! Could you perhaps take a look at the suggested message in this PR and tell us if it could have been phrased better?

Frankly, yes - especially since with this PR Cabal will error out such packages. I'll post a suggestion here, or in a Review when I get to my desktop computer tomorrow or day after.

@geekosaur
Copy link
Collaborator

I'm confused. This check is fine with ssh; it's the old git server protocol that is rejected, which hasn't been accepted by GitHub in 3 years.

@mergify mergify bot added the merge delay passed Applied (usually by Mergify) when PR approved and received no updates for 2 days label Aug 20, 2024
@Mikolaj Mikolaj force-pushed the git-protocol-check branch from dbfa1e3 to e581306 Compare August 20, 2024 18:40
@mergify mergify bot merged commit 34bef80 into haskell:master Aug 20, 2024
44 checks passed
@ffaf1 ffaf1 deleted the git-protocol-check branch August 20, 2024 19:14
@ffaf1
Copy link
Collaborator Author

ffaf1 commented Aug 20, 2024

@mouse07410 I did not remove the merge me label and now this is merged.

If you could illustrate what your problems are with the wording (or the logic), I can quickly write a fixup patch.

To be clear, if you have this stanza in your .cabal

source-repository head
    type:     git
    location: ssh://example.org/prova

cabal check will not complain. If you have this stanza in your .cabal:

source-repository head
    type:     git
    location: git://example.org/prova

cabal check will return will output:

Error: [git-protocol] Cloning over git:// might lead to an arbitrary code
execution vulnerability. Furthermore, popular forges like GitHub do not
support it. Use https:// or ssh:// instead.
Error: Hackage would reject this package.

Apologies for the messing-up, I was under the impression that further comments reset the 48-hours delay window for automatic merging.

@jasagredo jasagredo added the tested-on: windows QA has been successful on Windows label Sep 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ulysses4ever ulysses4ever ulysses4ever approved these changes

@geekosaur geekosaur geekosaur approved these changes

Assignees
No one assigned
Labels
attention: needs-manual-qa PR is destined for manual QA merge delay passed Applied (usually by Mergify) when PR approved and received no updates for 2 days merge me Tell Mergify Bot to merge tested-on: windows QA has been successful on Windows
Projects
Manual QA board
Status: To Test
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@ffaf1 @Kleidukos @ulysses4ever @mpickering @mouse07410 @geekosaur @jasagredo