From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id F24B84A426 for ; Thu, 30 May 2024 12:30:45 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 6C97168D377; Thu, 30 May 2024 15:30:44 +0300 (EEST) Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id BD7996801F2 for ; Thu, 30 May 2024 15:30:37 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 1573C40002 for ; Thu, 30 May 2024 12:30:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1717072237; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Y4G5zFOd1ULhB4JE+QyKyEHwPx90ux85VgaHD03iN1c=; b=SyAMZq7OUtjAInKN8PA+qR9dHQBi8cd5f4vqxaN/Cn1A0LUpT1jYtHxnlZwWIHVR2E7lTp M+2tqKfnXoCIocL1NoSMS6k/6z8XvH/WfKTu1R/jn7gGf3bXSdIeIv96NKbTEmnippyGmT yhcFpfSe+pmYiIMkGdqoF3g8A7avV4BQy1VAlI0tmRxzG7enjsK9mNlxd3k6ih4lWNHP1x iqQfFxuzlEaUa5gmVdSj/T51UA9HwPrnjEPhTLGcoKNpyRwheO9xUQhSR1d9OYSVdsHOry xRy8nVPmPljiU2GBNnbTH0yVG5m+IVT6E93oXJrC63SRYdXj7XBcRJnEfY1mdg== Date: Thu, 30 May 2024 14:30:36 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20240530123036.GY2821752@pb2> References: <20240529233009.GW2821752@pb2> MIME-Version: 1.0 In-Reply-To: X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] git problems X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============3364242919155475968==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============3364242919155475968== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="GjiSaFH9IIUbbImY" Content-Disposition: inline --GjiSaFH9IIUbbImY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 30, 2024 at 10:27:31AM +0100, Andrew Sayers wrote: > On Thu, May 30, 2024 at 01:30:09AM +0200, Michael Niedermayer wrote: > > Hi all > >=20 > > It seems the security update (https://ubuntu.com/security/notices/USN-6= 793-1) > > broke public git > >=20 > > We use gitolite that runs under its own user and serve git through apac= he > > which runs under a different user. > > Apache has only read access to the repositories > >=20 > > Since the security update that stoped working, the logs are full of mes= sages > > telling that we need to add the repositories to safe.directory > > (the commands suggested dont work and seem to mix up \t with a tab but = thats besides the point) > > once the repository is added to safe.directory, which ive done with htt= ps://git.ffmpeg.org/michael.git > > the error is gone and everything looks fine in the logs on the server b= ut it still > > doesnt work. (i have not touched ffmpeg.git config as i first wanted to= test this) > >=20 > > So like i just said on IRC. i hope some of the other root admins will h= ave > > some more insight here. Or if you (yes YOU!) want to help or know somet= hing > > please speak up. > >=20 > > This is totally not my area and i think other people could find the iss= ue > > with less effort in less time and it would be more efficient if i work > > on FFmpeg instead where the return per hour of my time should be much g= reater. > >=20 > > Also gitweb and git over ssh seem uneffected and theres github > >=20 > > If people want i could downgrade git OR > > upgrade git to latest git ignoring official ubuntu packages > > otherwise, i intend to leave this for someone else to investigate and r= ather > > work on FFmpeg which just seems like a much better use of my time >=20 > You've talked recently about looking for STF money to upgrade the servers. > You might want to write up a postmortem when the bug is fixed, i will suggest this to raz once we understand teh issue fully [...] > One thing for the postmortem - I don't know enough about these specific > programs to do much with the description provided. And even if I did, I = could > only offer prose hints at a solution. But containerising these services = would > let me replicate the server locally, and suggest solutions as normal patc= hes > on the mailing list. the box is a VM currently so one could in principle clone it. only that various private keys (for example for SSL certs) and personal data (like IP addresses in log files) would be in it making public sharing impossible also there are likely other reasons why publically sharing such a clone would be a bad idea. i dont see how containerising would change this. IMHO the effort to make sure a container would be safe security and privacy wise to share publically outweights the benefit. If someone wants to reproduce this locally, setup a ubuntu focal, setup git= olite setup apache and try to do a git clone via https. with latest git vs the version from 3 days ago, that should probably replicate it. If one person builds such a test setup, (s)he can share this with everyone I think the effort here is quite a bit lower than trying to make the live servers publically sharable. (and it costs us 0 time and 0 $) anyway not suggesting anyone does this. Just saying, IF someone really wants to replicate it. raz has found a workaround already with the current git version, but we still have incomplete understanding of teh issue thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Rewriting code that is poorly written but fully understood is good. Rewriting code that one doesnt understand is a sign that one is less smart than the original author, trying to rewrite it will not make it better. --GjiSaFH9IIUbbImY Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZlhxaAAKCRBhHseHBAsP q/kwAJ93RyyprI8dYpX/IaLwo7ncWddB3wCfcoRc2Mv5HI2xTjIjhDKFy4TBCC8= =mUfX -----END PGP SIGNATURE----- --GjiSaFH9IIUbbImY-- --===============3364242919155475968== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============3364242919155475968==--