From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] git problems
Date: Thu, 30 May 2024 14:30:36 +0200
Message-ID: <20240530123036.GY2821752@pb2> (raw)
In-Reply-To: <ZlhGg8_0PPR7-54x@andrews-2024-laptop.sayers>
[-- Attachment #1.1: Type: text/plain, Size: 3794 bytes --]
On Thu, May 30, 2024 at 10:27:31AM +0100, Andrew Sayers wrote:
> On Thu, May 30, 2024 at 01:30:09AM +0200, Michael Niedermayer wrote:
> > Hi all
> >
> > It seems the security update (https://ubuntu.com/security/notices/USN-6793-1)
> > broke public git
> >
> > We use gitolite that runs under its own user and serve git through apache
> > which runs under a different user.
> > Apache has only read access to the repositories
> >
> > Since the security update that stoped working, the logs are full of messages
> > telling that we need to add the repositories to safe.directory
> > (the commands suggested dont work and seem to mix up \t with a tab but thats besides the point)
> > once the repository is added to safe.directory, which ive done with https://git.ffmpeg.org/michael.git
> > the error is gone and everything looks fine in the logs on the server but it still
> > doesnt work. (i have not touched ffmpeg.git config as i first wanted to test this)
> >
> > So like i just said on IRC. i hope some of the other root admins will have
> > some more insight here. Or if you (yes YOU!) want to help or know something
> > please speak up.
> >
> > This is totally not my area and i think other people could find the issue
> > with less effort in less time and it would be more efficient if i work
> > on FFmpeg instead where the return per hour of my time should be much greater.
> >
> > Also gitweb and git over ssh seem uneffected and theres github
> >
> > If people want i could downgrade git OR
> > upgrade git to latest git ignoring official ubuntu packages
> > otherwise, i intend to leave this for someone else to investigate and rather
> > work on FFmpeg which just seems like a much better use of my time
>
> You've talked recently about looking for STF money to upgrade the servers.
> You might want to write up a postmortem when the bug is fixed,
i will suggest this to raz once we understand teh issue fully
[...]
> One thing for the postmortem - I don't know enough about these specific
> programs to do much with the description provided. And even if I did, I could
> only offer prose hints at a solution. But containerising these services would
> let me replicate the server locally, and suggest solutions as normal patches
> on the mailing list.
the box is a VM currently so one could in principle clone it.
only that various private keys (for example for SSL certs) and
personal data (like IP addresses in log files) would be in it
making public sharing impossible
also there are likely other reasons why publically sharing such a clone
would be a bad idea.
i dont see how containerising would change this.
IMHO the effort to make sure a container would be safe security and privacy
wise to share publically outweights the benefit.
If someone wants to reproduce this locally, setup a ubuntu focal, setup gitolite
setup apache and try to do a git clone via https. with latest git vs the
version from 3 days ago, that should probably replicate it.
If one person builds such a test setup, (s)he can share this with everyone
I think the effort here is quite a bit lower than trying to make the live
servers publically sharable. (and it costs us 0 time and 0 $)
anyway not suggesting anyone does this. Just saying, IF someone really
wants to replicate it.
raz has found a workaround already with the current git version, but we
still have incomplete understanding of teh issue
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Rewriting code that is poorly written but fully understood is good.
Rewriting code that one doesnt understand is a sign that one is less smart
than the original author, trying to rewrite it will not make it better.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
prev parent reply other threads:[~2024-05-30 12:30 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-29 23:30 Michael Niedermayer
2024-05-30 1:04 ` Michael Niedermayer
2024-05-30 9:27 ` Andrew Sayers
2024-05-30 12:30 ` Michael Niedermayer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240530123036.GY2821752@pb2 \
--to=michael@niedermayer.cc \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git