From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Andreas Krey <a.krey@gmx.de>
Cc: Nguyen Thai Ngoc Duy <pclouds@gmail.com>, git@vger.kernel.org
Subject: Re: [RFC 0/2] Git-over-TLS (gits://) client side support
Date: Wed, 13 Jan 2010 16:47:47 +0200 [thread overview]
Message-ID: <20100113144745.GA7246@Knoppix> (raw)
In-Reply-To: <20100113141218.GA17687@inner.home.ulmdo.de>
On Wed, Jan 13, 2010 at 03:12:18PM +0100, Andreas Krey wrote:
> On Wed, 13 Jan 2010 15:57:53 +0000, Ilari Liusvaara wrote:
> ...
> > And one would need custom daemon anyway even if one used stunnel.
> > git-daemon just can't deal with authentication data.
>
> It doesn't need to, really. stunnel sets the environment variable
> SSL_CLIENT_DN with the distinguished name of the client certificate,
> which can be used in the hook scripts ('update') on the server.
That would be useless. Data about authenticated client needs to fed to
authorization decisions already before invoking git.
And besides: Gits:// uses certificates as keypairs, which would make DN
data absolutely useless because it is untrustworthy. And adding PKI
is way too complicated.
> (I looked into that stuff once, but with the advent of smart-http(s)
> I pretty much lost any interest to try implementing gits:// via
> openssl here, as it isn't yet an actual itch.)
The authentication support for smart-http seems pretty bad (making the
old mistake of not binding authentications). Of course, the same tricks
as gits:// uses would work with https:// (its all TLS-level stuff), but
no server or client does that.
-Ilari
next prev parent reply other threads:[~2010-01-13 14:47 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-13 13:19 [RFC 0/2] Git-over-TLS (gits://) client side support Ilari Liusvaara
2010-01-13 13:19 ` [RFC 1/2] Git-over-TLS (gits://) client side support (part 1 of 2) Ilari Liusvaara
2010-01-13 13:19 ` [RFC 2/2] Git-over-TLS (gits://) client side support (part 2 " Ilari Liusvaara
2010-01-13 13:25 ` Alex Riesen
2010-01-13 13:39 ` [RFC 0/2] Git-over-TLS (gits://) client side support Nguyen Thai Ngoc Duy
2010-01-13 13:57 ` Ilari Liusvaara
2010-01-13 14:12 ` Andreas Krey
2010-01-13 14:47 ` Ilari Liusvaara [this message]
2010-01-13 16:17 ` Andreas Krey
2010-01-13 17:36 ` Ilari Liusvaara
2010-01-13 18:35 ` Andreas Krey
2010-01-13 19:18 ` Ilari Liusvaara
2010-01-13 19:30 ` Avery Pennarun
2010-01-13 20:06 ` Ilari Liusvaara
2010-01-13 20:13 ` Avery Pennarun
2010-01-13 21:04 ` Ilari Liusvaara
2010-01-13 22:03 ` Avery Pennarun
2010-01-13 22:06 ` Shawn O. Pearce
2010-01-13 23:00 ` Ilari Liusvaara
2010-01-13 23:51 ` Avery Pennarun
2010-01-14 8:51 ` Ilari Liusvaara
2010-01-14 20:46 ` Avery Pennarun
2010-01-14 23:08 ` Ilari Liusvaara
2010-01-13 19:40 ` Andreas Krey
2010-01-13 20:47 ` Ilari Liusvaara
2010-01-13 19:11 ` Avery Pennarun
2010-01-13 20:00 ` Ilari Liusvaara
2010-01-13 20:13 ` Edward Z. Yang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100113144745.GA7246@Knoppix \
--to=ilari.liusvaara@elisanet.fi \
--cc=a.krey@gmx.de \
--cc=git@vger.kernel.org \
--cc=pclouds@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).