[aur-general] Git over HTTPS

Giancarlo Razzolini grazzolini at gmail.com
Tue Jun 16 23:11:59 UTC 2015 

Em 16-06-2015 17:22, Alan Jenkins escreveu:
> Most of the large companies block everything and start from there, 
> normally everything is blocked outbound and only things that are 
> business critical are allowed until the business is able to function. 
> In many cases they will block all outbound traffic and only allow 
> access to the internet via ftp, http and the mitm style https via a 
> proxy that is able to scan the content being sent across the 
> connections to ensure they do not fall foul of a trojan or other malware.

This is stupid, as I already pointed. Besides, unless the machines are 
rigged with a self signed CA on their browsers stores, you can't inspect 
anything without trowing a big warning to every https site the user 
visit. It certainly breaks a lot of mobile apps functionality.

>
> So unless I am missing something how are you going to tunnel out of a 
> network if you only have port 21, 80 and 443 which are all really just 
> going to the proxy server? If you do know a way I would love to hear 
> it as I am interested, but as I stated in the previous email we are 
> off topic.

You can punch a hole using DNS requests, you can use https, you can use 
websockets, you can use a VPN, etc. As I said, there are a lot of options.

> The problem is that no matter how hard you moan at the people in 
> control of the firewalls they will normally not allow access to 
> something unless *they* deem it to be secure, and once the person you 
> are communicating with gets annoyed with you they will just send you 
> to the next guy until you get annoyed and just give up (been there 
> done that).

I'm not moanning at the people in control of the firewalls (heck, I'm 
one of them). I'm complaining with the OP requests and demands that AUR 
devs do something because he needs it.

>
> Can we please stick to the feasibility of doing git+https? Github + 
> Bitbucket are able to do it so surely we can too right? Or is there 
> too much code relying on the SSH public key auth now?

Is it feasible? Of course it is. Just install sshlp in the machine, 
configure it, configure nginx and ssh, and you're done. But you can also 
implement a token auth system over https, like the one github have, so 
we could have git over https. I don't see the devs doing it also, but it 
would be better than to run sshlp on the machine.

Again, you can always use another network for doing all this. A more 
open one.

Cheers,
Giancarlo Razzolini

More information about the aur-general mailing list