* [FFmpeg-devel] git problems
@ 2024-05-29 23:30 Michael Niedermayer
2024-05-30 1:04 ` Michael Niedermayer
2024-05-30 9:27 ` Andrew Sayers
0 siblings, 2 replies; 4+ messages in thread
From: Michael Niedermayer @ 2024-05-29 23:30 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1719 bytes --]
Hi all
It seems the security update (https://ubuntu.com/security/notices/USN-6793-1)
broke public git
We use gitolite that runs under its own user and serve git through apache
which runs under a different user.
Apache has only read access to the repositories
Since the security update that stoped working, the logs are full of messages
telling that we need to add the repositories to safe.directory
(the commands suggested dont work and seem to mix up \t with a tab but thats besides the point)
once the repository is added to safe.directory, which ive done with https://git.ffmpeg.org/michael.git
the error is gone and everything looks fine in the logs on the server but it still
doesnt work. (i have not touched ffmpeg.git config as i first wanted to test this)
So like i just said on IRC. i hope some of the other root admins will have
some more insight here. Or if you (yes YOU!) want to help or know something
please speak up.
This is totally not my area and i think other people could find the issue
with less effort in less time and it would be more efficient if i work
on FFmpeg instead where the return per hour of my time should be much greater.
Also gitweb and git over ssh seem uneffected and theres github
If people want i could downgrade git OR
upgrade git to latest git ignoring official ubuntu packages
otherwise, i intend to leave this for someone else to investigate and rather
work on FFmpeg which just seems like a much better use of my time
thx
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
I have never wished to cater to the crowd; for what I know they do not
approve, and what they approve I do not know. -- Epicurus
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [FFmpeg-devel] git problems
2024-05-29 23:30 [FFmpeg-devel] git problems Michael Niedermayer
@ 2024-05-30 1:04 ` Michael Niedermayer
2024-05-30 9:27 ` Andrew Sayers
1 sibling, 0 replies; 4+ messages in thread
From: Michael Niedermayer @ 2024-05-30 1:04 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1930 bytes --]
On Thu, May 30, 2024 at 01:30:09AM +0200, Michael Niedermayer wrote:
> Hi all
>
> It seems the security update (https://ubuntu.com/security/notices/USN-6793-1)
> broke public git
>
> We use gitolite that runs under its own user and serve git through apache
> which runs under a different user.
> Apache has only read access to the repositories
>
> Since the security update that stoped working, the logs are full of messages
> telling that we need to add the repositories to safe.directory
> (the commands suggested dont work and seem to mix up \t with a tab but thats besides the point)
> once the repository is added to safe.directory, which ive done with https://git.ffmpeg.org/michael.git
> the error is gone and everything looks fine in the logs on the server but it still
> doesnt work. (i have not touched ffmpeg.git config as i first wanted to test this)
>
> So like i just said on IRC. i hope some of the other root admins will have
> some more insight here. Or if you (yes YOU!) want to help or know something
> please speak up.
>
> This is totally not my area and i think other people could find the issue
> with less effort in less time and it would be more efficient if i work
> on FFmpeg instead where the return per hour of my time should be much greater.
>
> Also gitweb and git over ssh seem uneffected and theres github
>
> If people want i could downgrade git OR
> upgrade git to latest git ignoring official ubuntu packages
> otherwise, i intend to leave this for someone else to investigate and rather
> work on FFmpeg which just seems like a much better use of my time
after talking with raz and BtbN ive downgraded git to the prevous one
raz will look at it tomorrow
thx to raz and timo
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The misfortune of the wise is better than the prosperity of the fool.
-- Epicurus
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [FFmpeg-devel] git problems
2024-05-29 23:30 [FFmpeg-devel] git problems Michael Niedermayer
2024-05-30 1:04 ` Michael Niedermayer
@ 2024-05-30 9:27 ` Andrew Sayers
2024-05-30 12:30 ` Michael Niedermayer
1 sibling, 1 reply; 4+ messages in thread
From: Andrew Sayers @ 2024-05-30 9:27 UTC (permalink / raw)
To: FFmpeg development discussions and patches
On Thu, May 30, 2024 at 01:30:09AM +0200, Michael Niedermayer wrote:
> Hi all
>
> It seems the security update (https://ubuntu.com/security/notices/USN-6793-1)
> broke public git
>
> We use gitolite that runs under its own user and serve git through apache
> which runs under a different user.
> Apache has only read access to the repositories
>
> Since the security update that stoped working, the logs are full of messages
> telling that we need to add the repositories to safe.directory
> (the commands suggested dont work and seem to mix up \t with a tab but thats besides the point)
> once the repository is added to safe.directory, which ive done with https://git.ffmpeg.org/michael.git
> the error is gone and everything looks fine in the logs on the server but it still
> doesnt work. (i have not touched ffmpeg.git config as i first wanted to test this)
>
> So like i just said on IRC. i hope some of the other root admins will have
> some more insight here. Or if you (yes YOU!) want to help or know something
> please speak up.
>
> This is totally not my area and i think other people could find the issue
> with less effort in less time and it would be more efficient if i work
> on FFmpeg instead where the return per hour of my time should be much greater.
>
> Also gitweb and git over ssh seem uneffected and theres github
>
> If people want i could downgrade git OR
> upgrade git to latest git ignoring official ubuntu packages
> otherwise, i intend to leave this for someone else to investigate and rather
> work on FFmpeg which just seems like a much better use of my time
You've talked recently about looking for STF money to upgrade the servers.
You might want to write up a postmortem when the bug is fixed, focussing on
improvements that are unlikely to happen without money. Then you can say
"we had X hours of downtime, we think Y jobs will reduce that by Z%".
One thing for the postmortem - I don't know enough about these specific
programs to do much with the description provided. And even if I did, I could
only offer prose hints at a solution. But containerising these services would
let me replicate the server locally, and suggest solutions as normal patches
on the mailing list.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [FFmpeg-devel] git problems
2024-05-30 9:27 ` Andrew Sayers
@ 2024-05-30 12:30 ` Michael Niedermayer
0 siblings, 0 replies; 4+ messages in thread
From: Michael Niedermayer @ 2024-05-30 12:30 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 3794 bytes --]
On Thu, May 30, 2024 at 10:27:31AM +0100, Andrew Sayers wrote:
> On Thu, May 30, 2024 at 01:30:09AM +0200, Michael Niedermayer wrote:
> > Hi all
> >
> > It seems the security update (https://ubuntu.com/security/notices/USN-6793-1)
> > broke public git
> >
> > We use gitolite that runs under its own user and serve git through apache
> > which runs under a different user.
> > Apache has only read access to the repositories
> >
> > Since the security update that stoped working, the logs are full of messages
> > telling that we need to add the repositories to safe.directory
> > (the commands suggested dont work and seem to mix up \t with a tab but thats besides the point)
> > once the repository is added to safe.directory, which ive done with https://git.ffmpeg.org/michael.git
> > the error is gone and everything looks fine in the logs on the server but it still
> > doesnt work. (i have not touched ffmpeg.git config as i first wanted to test this)
> >
> > So like i just said on IRC. i hope some of the other root admins will have
> > some more insight here. Or if you (yes YOU!) want to help or know something
> > please speak up.
> >
> > This is totally not my area and i think other people could find the issue
> > with less effort in less time and it would be more efficient if i work
> > on FFmpeg instead where the return per hour of my time should be much greater.
> >
> > Also gitweb and git over ssh seem uneffected and theres github
> >
> > If people want i could downgrade git OR
> > upgrade git to latest git ignoring official ubuntu packages
> > otherwise, i intend to leave this for someone else to investigate and rather
> > work on FFmpeg which just seems like a much better use of my time
>
> You've talked recently about looking for STF money to upgrade the servers.
> You might want to write up a postmortem when the bug is fixed,
i will suggest this to raz once we understand teh issue fully
[...]
> One thing for the postmortem - I don't know enough about these specific
> programs to do much with the description provided. And even if I did, I could
> only offer prose hints at a solution. But containerising these services would
> let me replicate the server locally, and suggest solutions as normal patches
> on the mailing list.
the box is a VM currently so one could in principle clone it.
only that various private keys (for example for SSL certs) and
personal data (like IP addresses in log files) would be in it
making public sharing impossible
also there are likely other reasons why publically sharing such a clone
would be a bad idea.
i dont see how containerising would change this.
IMHO the effort to make sure a container would be safe security and privacy
wise to share publically outweights the benefit.
If someone wants to reproduce this locally, setup a ubuntu focal, setup gitolite
setup apache and try to do a git clone via https. with latest git vs the
version from 3 days ago, that should probably replicate it.
If one person builds such a test setup, (s)he can share this with everyone
I think the effort here is quite a bit lower than trying to make the live
servers publically sharable. (and it costs us 0 time and 0 $)
anyway not suggesting anyone does this. Just saying, IF someone really
wants to replicate it.
raz has found a workaround already with the current git version, but we
still have incomplete understanding of teh issue
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Rewriting code that is poorly written but fully understood is good.
Rewriting code that one doesnt understand is a sign that one is less smart
than the original author, trying to rewrite it will not make it better.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-05-30 12:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-05-29 23:30 [FFmpeg-devel] git problems Michael Niedermayer
2024-05-30 1:04 ` Michael Niedermayer
2024-05-30 9:27 ` Andrew Sayers
2024-05-30 12:30 ` Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git