[aur-general] Git over HTTPS

David Kaylor dpkaylor at gmail.com
Tue Jun 16 20:34:57 UTC 2015


Asking for a response from the OP: Do you not have other network access
available to maintain your AUR packages? More to the point, are you
maintaining packages on AUR as part of your official responsibilities? Or
just in spare time? Leaving aside, for the moment, all other arguments
regarding blocking outbound SSH, I believe these are fundamental questions.

On Tue, Jun 16, 2015 at 4:22 PM, Alan Jenkins <alan.james.jenkins at gmail.com>
wrote:

> Hey Giancario,
>
> Most of the large companies block everything and start from there, normally
> everything is blocked outbound and only things that are business critical
> are allowed until the business is able to function. In many cases they will
> block all outbound traffic and only allow access to the internet via ftp,
> http and the mitm style https via a proxy that is able to scan the content
> being sent across the connections to ensure they do not fall foul of a
> trojan or other malware.
>
> So unless I am missing something how are you going to tunnel out of a
> network if you only have port 21, 80 and 443 which are all really just
> going to the proxy server? If you do know a way I would love to hear it as
> I am interested, but as I stated in the previous email we are off topic.
> The problem is that no matter how hard you moan at the people in control of
> the firewalls they will normally not allow access to something unless
> *they* deem it to be secure, and once the person you are communicating with
> gets annoyed with you they will just send you to the next guy until you get
> annoyed and just give up (been there done that).
>
> Can we please stick to the feasibility of doing git+https? Github +
> Bitbucket are able to do it so surely we can too right? Or is there too
> much code relying on the SSH public key auth now?
>
> On 16 June 2015 at 20:30, Giancarlo Razzolini <grazzolini at gmail.com>
> wrote:
>
> > Em 16-06-2015 14:20, Alan Jenkins escreveu:
> >
> >> Also may I remind you that the focus of this conversation is allowing
> >> users
> >> in corporate environments access to be able to contribute to the AUR.
> >> These
> >> environments block SSH for multiple reasons but are able to allow HTTPS
> as
> >> they are able to more tightly regulate it.
> >>
> > There are literally tons of ways to tunnel out of a network. SSH is just
> > one of them. Instead of blocking anything, network admins should monitor
> > the traffic using netflow, and set alarms when too much data is leaving
> the
> > network. That would prevent a lot of data breaches. Or at least minimize
> > their impact.
> >
> > Expecting to block something to avoid information breach, or any other
> > kind of data theft is dumb. Also, come on people. It's 2015. Doesn't
> > everybody also have a machine at home?
> >
> > Cheers,
> > Giancarlo Razzolini
> >
>


More information about the aur-general mailing list