[conspire] (forw) [DNG] [OT] YouTube archivism targeted

Rick Moen rick at linuxmafia.com
Tue Oct 27 13:48:14 PDT 2020


Quoting Don Marti (dmarti at zgp.org):

> The company name was picked way before Nat Friedman was involved
> with the company.

OK, so the _one_ thing I believed he did that was canny, he had nothing
to do with.  Noted.

> Keith Packard was imho influential in helping Git break out of the
> kernel niche into other software.
> 
>   https://keithp.com/blogs/Tyrannical_SCM_selection/
>   https://keithp.com/blogs/Repository_Formats_Matter/

Added to Mount Tsundoku, thanks.

Sorry, old joke from science fiction fandom.  'Tsundoku' is a wonderful
term left over from Meiji Japan, meaning the trait of acquiring reading
materials but not yet getting to them.  Thus an ancient gag about
referring to one's to-read queue as Mount Tsundoku.

I _will_ get around to those pieces.  Pinky swear.  (I just skimmed 'em,
in fact.)

Brief reaction:  Hell yeah, particularly to the second blog post.

Getting back briefly to GitHub, after getting well and truly annoyed to
the AOL aspect of GitHub advocacy, in which it was believed that
everyone had to be there because everyone was there, I started
reconstructing how we got there.  There's a piece I've only started
writing then got stalled, whose uncompleted alpha you can see here:

http://linuxmafia.com/kb/Devtools/software-forges


The piece's origin was my musing 'WTF?  Why is everyone talking about
ridiculous bloatware like GitLab and (not even self-hostable) GitHub?
Why not just something modest in scope, light, and maintainable on top
of git?

The answer to the subsidiary question, 'Why not just git?' is obvious, 
and was illustrated by the kernel.org / Linux Foundation security
compromise of late August 2011.  At that time, all of the kernel devs
had been submitting changesets via git+ssh transport, ergo the sheft of
any one dev SSH key (in this case, some claim it was the key of H. Peter 
Anvin, but that's not publicly confirmed, and it could have been any of
about a hundred others) permitted hostile parties user-level access,
which they then escalated to root privilege.  Famously, this disaster
was mitigated by the SHA1-attested change history being intact, because
git in that sense is self-auditing.

For about two years, the front page of kernel.org promised that there
would be a public incident report describing how the compromise was
effected and remedied, and how the system got rearchitected.  After
those couple of years, the promise was quietly taken down, and the
promised explanation has never emerged.  When I made an issue of this 
on LWN.net, I got a comical sideways-shuffle evasion about how I needed
to ask this-or-that other person, and I got nothinged to death.

Meanwhile, behind the scenes, the affected kernel.org infrastructure
_was_ rearchitected, engineers having realised that git+ssh access 
exposed _way_ too much attack surface.  The solution was _gitolite_,
a light layer of 'glue' atop git that handles developers' credentials
internally rather than being integrated into host-level user
authentication.  gitolite deliberately has very stripped down services
including very limited scripting, and deliberately no plausible route to
the shell.  Access is _still_ via ssh transport, but with auth handled
and permitted functionality stripped way down.

However, gitolite omits all shiny Web-anything.  It's just a developer 
code-repo access & distribution toolkit atop git, reached via ssh.
No 'issues' (bug) feature, no developer brag pages, none of that inane
GitHub/GitLab bloatware crap.  

I realised there needed to be a middle ground, where there _is_ a decent
Web interface atop the git-mediated repo with gitolite-like access, but
without a GitHub/GitLab marching band of featuritis.

Mirabile dictu, there is:  There are two such projects, and they're
perfectly fine and great for self-hosting without headaches or recurring
security nightmares, but most people haven't heard of them because they
don't have marketing budgets or roving gangs of fanboys like GitHub and
GitLab.

gitea:  https://gitea.io/

gogs:  https://gogs.io/

And that's where I'm leaving this topic, because I don't have time to
write the rest of that Linuxmafia.com Knowledgebase article at the moment.

-- 
Cheers,      @kareem_carr:  "I discovered a new statistical law, that says that
Rick Moen            all jokes on Twitter are based on other jokes on Twitter."
rick at linux   friend:  "That's really cool!  What do you call it?"
mafia.com    @kareem_carr:  *slowly doffs sunglasses" "Regression to the meme."



More information about the conspire mailing list