From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-3.1 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.6 Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by dcvr.yhbt.net (Postfix) with ESMTP id 4D3531F5A0 for ; Thu, 2 Feb 2023 10:15:03 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=pass (2048-bit key; secure) header.d=gmx.de header.i=@gmx.de header.a=rsa-sha256 header.s=s31663417 header.b=qozM6JAF; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232049AbjBBKO4 (ORCPT ); Thu, 2 Feb 2023 05:14:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51912 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231889AbjBBKOy (ORCPT ); Thu, 2 Feb 2023 05:14:54 -0500 Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2CF594486 for ; Thu, 2 Feb 2023 02:14:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1675332876; bh=SnYjo27GZXPcqybnlZnSzXrNULkr2KEv8t2nwoXygIg=; h=X-UI-Sender-Class:Date:From:To:cc:Subject:In-Reply-To:References; b=qozM6JAF7B7DLhbAIyycofGEvwoUdbWkA5CHeaskFVJO1BjhIZrtSuSlRyG6JG8BL 8pcQVXB93rFP7afK6XdJx85ef2jXIKUyF2bn7doPlvOq7CoexK0EI3cQXWtmr5GFV/ 3OLdDRsXFIxh143dIzzDqWrIIAcyajZV7mytq2mMOOuJ0eNDfGY9ehwKxaO2j2+v5c LPGxrcw1cN+idDVfRedWWAL5M8W/E4eQUkBsA3maN2YLk4jl8M0xwBpRZxTCoNMMYp qAC/4SQL5CEAgk1xJ3ZgyZ6Nj1aFYkDl4LZ7j/BnvxBDHi6BpRfuO5+Qh6CIZbpnp6 aMkFqVo34IAtw== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.128.75] ([89.1.215.7]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1N9dwd-1obvoX0wnl-015ZUx; Thu, 02 Feb 2023 11:14:36 +0100 Date: Thu, 2 Feb 2023 11:14:33 +0100 (CET) From: Johannes Schindelin To: Junio C Hamano cc: Jeff King , Victoria Dye , Matthew John Cheetham via GitGitGadget , git@vger.kernel.org, Derrick Stolee , Lessley Dennington , Matthew John Cheetham , M Hickford , Jeff Hostetler , Glen Choo , =?UTF-8?Q?=C3=86var_Arnfj=C3=B6r=C3=B0_Bjarmason?= Subject: Re: [PATCH v7 00/12] Enhance credential helper protocol to include auth headers In-Reply-To: Message-ID: <6f83ed25-a7e1-06dd-f180-d70c7e1b1973@gmx.de> References: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Provags-ID: V03:K1:A0Nqy+yUWtcIpd5QRGOwaT5OaKN1PWzxKjWzwJjA5tdgRfXlq5h oCJ3OKYmViNmN1woAOSENAl16c1PNazELrFOO+QzJAhYVWU+5B8gzq7pFJP+qPun+wFA5mL JmNovxsh5Ml6FqPsrf8gJMuUNr1sMrtcnIx2SnvSE01fhnpQQIhUCSDiTC5wIftWPZxp5uK oGCHXN1v6mBLcET7G4bCA== UI-OutboundReport: notjunk:1;M01:P0:oCxKYvLh3fQ=;jH41wZ4jJP3vV+Pktkf/TjFinPI rPLlCB1jhJU8cM4K61RwcJ4N+RPTFYQHNxjDPn0VFb6G6FsvCq2poH57MKSPyyRurJxrYcNYT FM/8xkySpcG7q9dXKD4tr53ZRpVYubq5hhLenCQca0EAITst/UD2WuAMMBircMj9twamNuNud 31JJCDME6CDHtR3ZaPRwMuyGgnpjSZFVVr+D1hqf0k4rd936DF/5PVIkc60h0UAkQ0WfIuQrv FrZ40X13x3jM4DIX35bCkIOesI3kozMQusFpbOHAZc+nUKc62IWQQKPtA2/LHIj5jWD+spipG PKv4dDbS0Q1lAgYsK9gX5rZb9B8Nn+BAwV5TuSWqhPJ13RlCdlxKdGR3eLTeZXUWXGoy8avqs 4NpSbGKKgwQmY9nrc3yPCIKJuhmZd1wbSw6TQEBvmCRdH6UVoXyq+wdl+syjpoKHnA4jCscUa vK6sU0zBY/WBu6EHnnpf26aPCO2n9u3W+H7n7jDpbiKlLybg2pkBOa4u0QcLdSmdqnBOBGs3/ WEmWUEp/JTF6f8tyH+iYprdf8mGVIXDLfCzTnKFetxEU2yyCJyBBszkoBRd08FKYftmWag6AI bpyqexBYh8Ypeqs+P2LB9eXlzEIha83OjafrxcFqSCLIxm+hPJW9J46c0RvGg2c0nSOXD9epy tmm5qQv4utCvOA5zWTJ9KtJGS+qnCxNNLMpGjiLnaL7Assc2BwkNmaJQKVOtNITVqM2OeQh25 98HaEPmvMYmoKhDrcRnMempFEhGT/FLLTMSLKkXImb+Q5ZIejT98XsfYlfqv7dAJNfN6MzcrV WWkYmAaxozuvMPEQ/MrsMmWW50XPsQcFwRDruhw7yQngYEdWfOM4oFYwB1K+06mSmYnWyvRXm Yy9e2il9G3UnjLuxJeUDxJqOQLYVlBYjojO+Q0LKil6Hg/z/ssfyvEyZUCX2Ao4tIKyNuqOqu chtAtc6mM3Rp8vm/S4q1hZ2jmiY= Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org Hi Junio & Peff, On Thu, 26 Jan 2023, Junio C Hamano wrote: > Jeff King writes: > > >> Thanks, both. Let's merge it down. > > > > Sorry, I'm a bit late to the party, but I left some comments just now > > (this topic had been on my review backlog for ages, but I never quite > > got to it). > > > > Many of my comments were small bits that could be fixed on top (tiny > > leaks, etc). But some of my comments were of the form "no, do it total= ly > > differently". It may simply be too late for those ones, but let's see = if > > Matthew finds anything compelling in them. > > I do not mind reverting the merge to 'next' to have an improved > version. Your "do we really want to add a custom server based on > questionable codebase whose quality as a test-bed for real world > usage is dubious?" is a valid concern. Except. Except that this code base would have made for a fine base to potentially implement an HTTPS-based replacement for the aging and insecure git-daemon. That code base (which is hardly as questionable codebase as you make it sound because it has been in use for years in a slightly different form) would have had the opportunity to mature in a relatively safe environment: our test suite. And eventually, once robust enough, it could have been extended to allow for easy and painless yet secure ad-hoc serving of Git repositories, addressing the security concerns around git-daemon. And now that we're throwing out that code we don't have that opportunity, making the goal to deprecate the git-daemon and replace it by something that is as easy to set up but talks HTTPS instead much, much harder to reach. In addition, it causes a loss of test coverage because Apache is not available in all the setups where the "questionable" code would have had no problem being built and validating the credential code. Windows, for example, will now go completely uncovered in CI regarding the new code. Ciao, Johannes