Front page

HTTPS for cgit instance on which obnam is hosted

3c7e247efed842a4991a0f8f6cc7db7b
COBRA INSURGENT BLUEBIRD

From: Rémi Rampin <remirampin@gmail.com>
Date: Tue, 7 Mar 2017 15:27:56 -0500

   2017-03-07 14:29 EST, Arun Isaac <arunisaac@systemreboot.net>:
   
   > It would be nice to have HTTPS for the cgit instance (http://git.liw.fi)
   > on which obnam is hosted.
   >
   
   Lars seems to be using signed commits, so you can check content this way
   using his public key.
   
   I also set up a mirror on GitHub (https://github.com/obnam-mirror/obnam).
   HTTPS is available there, but note that mirroring is done through insecure
   git://... However GitHub could verify signed commits if Lars was to upload
   his public key to his account (larswirzenius).
   
   Interestingly some people have based work off of the GitHub mirror
   (fau-fablab has a Docker-based test setup that works on Travis)?
From: Lars Wirzenius <liw@liw.fi>
Date: Tue, 7 Mar 2017 22:00:46 +0200

   On Wed, Mar 08, 2017 at 12:59:32AM +0530, Arun Isaac wrote:
   > It would be nice to have HTTPS for the cgit instance (http://git.liw.fi)
   > on which obnam is hosted.
   
   Some day it may happen.
From: Arun Isaac <arunisaac@systemreboot.net>
Date: Wed, 08 Mar 2017 00:59:32 +0530

   Hi,
   
   It would be nice to have HTTPS for the cgit instance (http://git.liw.fi)
   on which obnam is hosted.
   
   Thanks,
   Arun Isaac.
From: Arun Isaac <arunisaac@systemreboot.net>
Date: Wed, 08 Mar 2017 10:28:30 +0530

   >> It would be nice to have HTTPS for the cgit instance (http://git.liw.fi)
   >> on which obnam is hosted.
   
   HTTPS for http://code.liw.fi would also be nice.
   
   > Lars seems to be using signed commits, so you can check content this way
   > using his public key.
   
   I am packaging obnam for GNU Guix SD and I am getting the source from
   the release tarballs. So, I thought it would be nice to have a HTTPS
   URL.
   
   > Some day it may happen.
   
   Sure, no problem.
From: Maximilian Gaukler <development@maxgaukler.de>
Date: Thu, 9 Mar 2017 21:46:13 +0100

   On 03/07/17 21:27, Rémi Rampin wrote:
   > fau-fablab has a Docker-based test setup that works on Travis
   Yeah, that's mine, I built it to test everything cleanly without messing 
   my machine which runs Debian stable. You can also use it without travis 
   via a shell script.
   
   I don't think it will ever be merged and therefore never asked for it, 
   as - judging from the discussion about gitignore - Lars seems to have a 
   different philosophy regarding development. (Which I do not want to 
   criticize, especially considering that obnam works quite well and he is 
   doing most of the work.)
   
   --
   Max
   
   _______________________________________________
   obnam-dev mailing list
   obnam-dev@obnam.org
   http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/obnam-dev-obnam.org
From: Lars Wirzenius <liw@liw.fi>
Date: Tue, 21 Mar 2017 18:32:37 +0200

   On Wed, Mar 08, 2017 at 10:28:30AM +0530, Arun Isaac wrote:
   > 
   > >> It would be nice to have HTTPS for the cgit instance (http://git.liw.fi)
   > >> on which obnam is hosted.
   > 
   > HTTPS for http://code.liw.fi would also be nice.
   
   Some day. Sorry I can't promise anything more concrete than that.
   
   > > Lars seems to be using signed commits, so you can check content this way
   > > using his public key.
   > 
   > I am packaging obnam for GNU Guix SD and I am getting the source from
   > the release tarballs. So, I thought it would be nice to have a HTTPS
   > URL.
   
   In that case what you want is to verify the data that is downloaded.
   HTTPS does nothing to guarantee that the file you download is the one
   I uploaed. At the moment that means following the signature chain in
   the APT repository down to the individual tarball.
   
   One day I will make my CI produced detached signatures for the
   tarballs.
From: Arun Isaac <arunisaac@systemreboot.net>
Date: Thu, 23 Mar 2017 14:38:47 +0530

   > Some day. Sorry I can't promise anything more concrete than that.
   
   No real hurry as such. Take your time.
   
   > In that case what you want is to verify the data that is downloaded.
   > HTTPS does nothing to guarantee that the file you download is the one
   > I uploaed. At the moment that means following the signature chain in
   > the APT repository down to the individual tarball.
   
   I was also concerned about general privacy on the web, preventing
   javascript injection by the ISP (my ISP does this often), etc.
   
   > One day I will make my CI produced detached signatures for the
   > tarballs.
   
   Yes, that would be nice as well.
   
   _______________________________________________
   obnam-dev mailing list
   obnam-dev@obnam.org
   http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/obnam-dev-obnam.org