Bug 1489417

Summary: Gerrit shouldn't offer http or git for code download
Product: [Community] GlusterFS Reporter: M. Scherer <mscherer>
Component: project-infrastructureAssignee: bugs <bugs>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: mainlineCC: bugs, gluster-infra
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-12 12:51:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description M. Scherer 2017-09-07 12:15:58 UTC 
git protocol is in clear text, s we should avoid it since a attackant could do mitm and inject code that will be built (and likely executed) on user system.
Comment 1 Nigel Babu 2017-09-07 17:20:16 UTC 
The intention here was to reduce the load on Gerrit servers. We should do the following to fix this up:

* Remove Giturl from the config so it's not advertised over the UI
* Setup a read-only replica of git repos on Gerrit for CI to consume.
* Get that to serve over HTTPS for CI system to clone.

The git clone is actively used by the CI system because it doesn't place load on Gerrit itself.
Comment 2 M. Scherer 2017-09-07 22:16:45 UTC 
We already have a reverse proxy in front of gerrit, so we can (maybe with lots of hack in the automation) do some magic to bypass gerrit for a specific url and/or vhost.
Comment 3 Nigel Babu 2017-09-08 04:00:49 UTC 
The interest in the less hacky solution is so that we can bring down gerrit without majority affecting CI jobs, which will clone of our replicated git.
Comment 4 sankarshan 2019-05-27 01:51:27 UTC 
Are there plans to do further/additional work on this? If not, I'd request a CLOSED DEFERRED.
Comment 5 M. Scherer 2019-06-12 12:17:18 UTC 
Dunno, I think Nigel had a specific plan for this, but that's not on my radar. I would however keep it open so we do not forget, once more urgent stuff are done (or once we get more ressources, who would have a side effect of fixing more urgent stuff)
Comment 6 Worker Ant 2020-03-12 12:51:49 UTC 
This bug is moved to https://github.com/gluster/project-infrastructure/issues/25, and will be tracked there from now on. Visit GitHub issues URL for further details