From: Jeff King <peff@peff.net>
To: Florian Bezdeka <florian.bezdeka@siemens.com>
Cc: Jacob Keller <jacob.keller@gmail.com>,
"brian m. carlson" <sandals@crustytoothpaste.net>,
"git@vger.kernel.org" <git@vger.kernel.org>,
"gitster@pobox.com" <gitster@pobox.com>,
"greg.pflaum@pnp-hcl.com" <greg.pflaum@pnp-hcl.com>,
Gerhard Rieger <gerhard@dest-unreach.org>
Subject: Re: Bug: Cloning git repositories behind a proxy using the git:// protocol broken since 2.32
Date: Wed, 1 Feb 2023 19:07:34 -0500 [thread overview]
Message-ID: <Y9r+xm8/LbVBLIZ4@coredump.intra.peff.net> (raw)
In-Reply-To: <494ac71b378b1afb4349a4fb86767f7f77e781b3.camel@siemens.com>
On Wed, Feb 01, 2023 at 01:53:34PM +0100, Florian Bezdeka wrote:
> > The ideal, of course, would be an option to send the half-duplex
> > shutdown to the server and then wait for the server to hang up. But I
> > don't think it has such an option (you can just simulate it with a
> > really large "-t"). Netcat does, FWIW ("-q -1").
>
> -t doesn't help here. With massive help from the socat maintainer
> (thanks Gerhard!, now in CC) I was able to get the following log out of
> socat:
>
> 2023/02/01 11:06:29.960194 socat[18916] D read(0, 0x56111c858000, 8192)
> 2023/02/01 11:06:29.960208 socat[18916] D read -> 0
>
> stdin had EOF. Socat half closes the socket:
>
> 2023/02/01 11:06:29.960231 socat[18916] I shutdown(6, 1)
>
> And then, within less than 0.2s, the peer (proxy?) closes the other
> channel:
>
> 2023/02/01 11:06:30.118216 socat[18916] D read(6, 0x56111c858000, 8192)
> 2023/02/01 11:06:30.118238 socat[18916] D read -> 0
>
> It's quite clear now that the remote peer (proxy or server) closes the
> complete connection after receiving the partial shutdown. That's
> nothing that is under my control.
>
> With privoxy and the infrastructure at work (zscaler based) there are
> at least two proxy implementations showing this behavior.
OK, so the problem is that socat is not terminating at git-daemon, but
rather at some other random infrastructure that also does not handle
half-duplex shutdowns in a reasonable way. <sigh>
So if we took socat out of the loop entirely, and if raw git-over-tcp
did the half-duplex shutdown for the v2 protocol (which it really ought
to be doing), then those proxies would presumably similarly break.
I dunno. I am sympathetic that this thing used to work, and now doesn't.
But really the issue is in the v2 protocol, which has no way to signal
"I'm done" short of closing the socket. Combining that with raw
git-over-tcp and over-zealous proxies is going to be a problem.
> Switching to ncat --no-shutdown qualifies as workaround for now, but so
> far I didn't manage to get socat back into the game. Downgrading git is
> the other possibility.
Did you try setting protocol.version to 0? I expect that would also
work.
IMHO the best option, if possible, is to use git-over-http. It's more
secure and generally more tested than git-over-tcp.
-Peff
prev parent reply other threads:[~2023-02-02 0:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-31 10:52 Bug: Cloning git repositories behind a proxy using the git:// protocol broken since 2.32 Bezdeka, Florian
2023-01-31 11:02 ` brian m. carlson
2023-01-31 12:08 ` Florian Bezdeka
2023-01-31 16:57 ` Junio C Hamano
2023-01-31 20:31 ` Jacob Keller
2023-01-31 23:19 ` Florian Bezdeka
2023-02-01 12:28 ` Jeff King
2023-02-01 12:53 ` Florian Bezdeka
2023-02-01 13:05 ` Bezdeka, Florian
2023-02-02 0:07 ` Jeff King [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y9r+xm8/LbVBLIZ4@coredump.intra.peff.net \
--to=peff@peff.net \
--cc=florian.bezdeka@siemens.com \
--cc=gerhard@dest-unreach.org \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=greg.pflaum@pnp-hcl.com \
--cc=jacob.keller@gmail.com \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).