From: Luis Lavena Date: 2012-09-30T02:21:13+09:00 Subject: [ruby-core:47742] Re: [ruby-trunk - Bug #7085][Open] Subversion → GitHub gateway stops. --90e6ba308f2efb6fbf04cada654c Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit Thank you Shyouhei Urabe, Wouldn't be possible setup the bridge on same subversion server so it doesn't require ssh keys to push? The idea is: subversion repository is local, so is git repository. We expose git repo too as read-only and we can ask github to mirror it as github.com/ruby/ruby That way we don't need ssh keys and basic gateway can run secure. Who provides ruby svn? Sorry for top posting. Sent from mobile. On Sep 29, 2012 9:40 AM, "shyouhei (Shyouhei Urabe)" wrote: > > Issue #7085 has been reported by shyouhei (Shyouhei Urabe). > > ---------------------------------------- > Bug #7085: Subversion → GitHub gateway stops. > https://bugs.ruby-lang.org/issues/7085 > > Author: shyouhei (Shyouhei Urabe) > Status: Open > Priority: Immediate > Assignee: > Category: Project > Target version: > ruby -v: not version dependent > > > Abstract: Sorry for your inconvenience. Due to my resigning job > at netlab.jp, the Subversion to GitHub gateway stops now. The > gateway was located there, maintained by me. > > Biggest problem to reboot the gateway is its ssh private keys. it > first ssh into the canonical svn server to pull the repo, then ssh > into github to push it. Both ssh sessions need private keys and > as the gateway runs totally automatic using cron, those keys are > not passphrased. > > Ruby's canonical repo has once been cracked. GitHub also had > vulnerability before. Leaking these keys is a serious threat > against our project. A malicious codes can be injected by using > (either of) them. > > So sorry, I don't want to put these keys on any VPS, IaaS, or > colocations or anything like that. Doing so is in fact easy, and > makes the gateway working again, but will introduce a huge > security threat. > > In order to properly fix this sitution, a RELIABLE place is > mandatory, where no access is possible from the internet, yet the > gateway itself can connect to ruby-lang.org and github.com. > Normal company intranets behind NATs should suffice, like > netlab.jp was, Though I doubt a "normal" company intranet will not > welcome a black box like the gateway. > > ========= > > Githubゲートウエイは卜部離職に伴い停止しております。現在のところ復 > 旧の見込みはございません。このようなアナウンスが事後になってしまい > ましたことを深くお詫び申し上げます。根回しが足りてなくてごめんなさ > い。 > > そもそもgithubへのゲートウエイは何らかのプロジェクトで開発されたも > のではなく卜部が少しずつ暇を見つけてはメンテナンスしていたもので、 > その実態はNaCl東京支社の卜部席に設置してあった卜部私物計算機の中で > 動いていました。離職に際しこの計算機は停止の上引き払いました。その > ためサービスも巻き添えで停止したという形です。 > > 復旧に際して問題となるのはssh鍵です。仕組み上、ゲートウエイマシン > はrubyのsvnサーバにsshしてデータを取得した後、次にはgithubにsshし > てデータを更新する必要があり、それをcronで回す関係上、どちらで使う > 秘密鍵も、ゲートウエイマシン上に、パスフレーズなしで存在している必 > 要があります。 > > Rubyのレポジトリにはクラックされた実績があります。githubにも脆弱性 > を突かれた実績があります。したがって、これらのパスフレーズのない > ssh鍵が流出するのはかなり危険です。どちらの鍵が流出しても、Rubyの > ソースコードに悪意ある改変を加えることが可能になります。私としては > この鍵を自分の管理下にない計算機に設置したくありません。どこかの > VPSなどを借りてスクリプトを動かせば、数分から数時間程度でゲートウ > エイを移築できることは確認済みですが、その確認の際にも確認にはssh > agent forwardingを用いました。 > > こういった理由により今すぐにgithubとの同期を復旧するのはなかなかに > 困難です。いや、正確に言うのであれば、べつに技術的な困難はないのだ > が、それをやるとセキュリティ上の懸念がある。少なくとも外部インター > ネット側からのアクセスができない(が、こちらからはruby-lang.orgと > github.comへのコネクションが張れる)ネットワークで、ある程度信頼で > きるホストしか設置されていない場所、に相当する場所を探す必要がある > という認識でおります。べつに普通の企業の社内ネットワークで構わない > と思いますが、そこに社業と関係ない計算機を設置する是非ですよね。 > > > -- > http://bugs.ruby-lang.org/ > > --90e6ba308f2efb6fbf04cada654c Content-Type: text/html; charset=ISO-2022-JP Content-Transfer-Encoding: base64 PHA+VGhhbmsgeW91IFNoeW91aGVpIFVyYWJlLCA8L3A+CjxwPldvdWxkbiYjMzk7dCBiZSBwb3Nz aWJsZSBzZXR1cCB0aGUgYnJpZGdlIG9uIHNhbWUgc3VidmVyc2lvbiBzZXJ2ZXIgc28gaXQgZG9l c24mIzM5O3QgcmVxdWlyZSBzc2gga2V5cyB0byBwdXNoPyA8L3A+CjxwPlRoZSBpZGVhIGlzOiBz dWJ2ZXJzaW9uIHJlcG9zaXRvcnkgaXMgbG9jYWwsIHNvIGlzIGdpdCByZXBvc2l0b3J5LiA8L3A+ CjxwPldlIGV4cG9zZSBnaXQgcmVwbyB0b28gYXMgcmVhZC1vbmx5IGFuZCB3ZSBjYW4gYXNrIGdp dGh1YiB0byBtaXJyb3IgaXQgYXMgPGEgaHJlZj0iaHR0cDovL2dpdGh1Yi5jb20vcnVieS9ydWJ5 Ij5naXRodWIuY29tL3J1YnkvcnVieTwvYT48L3A+CjxwPlRoYXQgd2F5IHdlIGRvbiYjMzk7dCBu ZWVkIHNzaCBrZXlzIGFuZCBiYXNpYyBnYXRld2F5IGNhbiBydW4gc2VjdXJlLiA8L3A+CjxwPldo byBwcm92aWRlcyBydWJ5IHN2bj8gPC9wPgo8cD5Tb3JyeSBmb3IgdG9wIHBvc3RpbmcuIFNlbnQg ZnJvbSBtb2JpbGUuPC9wPgo8ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+T24gU2VwIDI5LCAyMDEy IDk6NDAgQU0sICZxdW90O3NoeW91aGVpIChTaHlvdWhlaSBVcmFiZSkmcXVvdDsgJmx0OzxhIGhy ZWY9Im1haWx0bzpzaHlvdWhlaUBydWJ5LWxhbmcub3JnIj5zaHlvdWhlaUBydWJ5LWxhbmcub3Jn PC9hPiZndDsgd3JvdGU6PGJyIHR5cGU9ImF0dHJpYnV0aW9uIj48YmxvY2txdW90ZSBjbGFzcz0i Z21haWxfcXVvdGUiIHN0eWxlPSJtYXJnaW46MCAwIDAgLjhleDtib3JkZXItbGVmdDoxcHggI2Nj YyBzb2xpZDtwYWRkaW5nLWxlZnQ6MWV4Ij4KPGJyPgpJc3N1ZSAjNzA4NSBoYXMgYmVlbiByZXBv cnRlZCBieSBzaHlvdWhlaSAoU2h5b3VoZWkgVXJhYmUpLjxicj4KPGJyPgotLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tPGJyPgpCdWcgIzcwODU6IFN1YnZlcnNpb24gGyRC IiobKEIgR2l0SHViIGdhdGV3YXkgc3RvcHMuPGJyPgo8YSBocmVmPSJodHRwczovL2J1Z3MucnVi eS1sYW5nLm9yZy9pc3N1ZXMvNzA4NSIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vYnVncy5ydWJ5 LWxhbmcub3JnL2lzc3Vlcy83MDg1PC9hPjxicj4KPGJyPgpBdXRob3I6IHNoeW91aGVpIChTaHlv dWhlaSBVcmFiZSk8YnI+ClN0YXR1czogT3Blbjxicj4KUHJpb3JpdHk6IEltbWVkaWF0ZTxicj4K QXNzaWduZWU6PGJyPgpDYXRlZ29yeTogUHJvamVjdDxicj4KVGFyZ2V0IHZlcnNpb246PGJyPgpy dWJ5IC12OiBub3QgdmVyc2lvbiBkZXBlbmRlbnQ8YnI+Cjxicj4KPGJyPgpBYnN0cmFjdDogU29y cnkgJm5ic3A7Zm9yIHlvdXIgaW5jb252ZW5pZW5jZS4gJm5ic3A7RHVlIHRvICZuYnNwO215IHJl c2lnbmluZyBqb2I8YnI+CmF0ICZuYnNwOzxhIGhyZWY9Imh0dHA6Ly9uZXRsYWIuanAiIHRhcmdl dD0iX2JsYW5rIj5uZXRsYWIuanA8L2E+LCB0aGUgU3VidmVyc2lvbiAmbmJzcDt0byBHaXRIdWIg Jm5ic3A7Z2F0ZXdheSBzdG9wcyAmbmJzcDtub3cuICZuYnNwO1RoZTxicj4KZ2F0ZXdheSB3YXMg bG9jYXRlZCB0aGVyZSwgbWFpbnRhaW5lZCBieSBtZS48YnI+Cjxicj4KQmlnZ2VzdCBwcm9ibGVt IHRvIHJlYm9vdCB0aGUgZ2F0ZXdheSBpcyBpdHMgc3NoIHByaXZhdGUga2V5cy4gJm5ic3A7aXQ8 YnI+CmZpcnN0IHNzaCBpbnRvIHRoZSBjYW5vbmljYWwgc3ZuIHNlcnZlciB0byBwdWxsIHRoZSBy ZXBvLCB0aGVuIHNzaDxicj4KaW50byBnaXRodWIgdG8gJm5ic3A7cHVzaCBpdC4gJm5ic3A7Qm90 aCBzc2ggc2Vzc2lvbnMgJm5ic3A7bmVlZCBwcml2YXRlIGtleXMgYW5kPGJyPgphcyB0aGUgZ2F0 ZXdheSAmbmJzcDtydW5zIHRvdGFsbHkgYXV0b21hdGljIHVzaW5nIGNyb24sICZuYnNwO3Rob3Nl IGtleXMgYXJlPGJyPgpub3QgcGFzc3BocmFzZWQuPGJyPgo8YnI+ClJ1YnkmIzM5O3MgJm5ic3A7 Y2Fub25pY2FsIHJlcG8gJm5ic3A7aGFzIG9uY2UgJm5ic3A7YmVlbiBjcmFja2VkLiAmbmJzcDsg R2l0SHViICZuYnNwO2Fsc28gaGFkPGJyPgp2dWxuZXJhYmlsaXR5ICZuYnNwO2JlZm9yZS4gJm5i c3A7TGVha2luZyAmbmJzcDt0aGVzZSAmbmJzcDtrZXlzIGlzICZuYnNwO2Egc2VyaW91cyAmbmJz cDt0aHJlYXQ8YnI+CmFnYWluc3Qgb3VyICZuYnNwO3Byb2plY3QuIEEgbWFsaWNpb3VzICZuYnNw O2NvZGVzIGNhbiBiZSBpbmplY3RlZCAmbmJzcDtieSB1c2luZzxicj4KKGVpdGhlciBvZikgdGhl bS48YnI+Cjxicj4KU28gc29ycnksICZuYnNwO0kgZG9uJiMzOTt0ICZuYnNwO3dhbnQgdG8gcHV0 ICZuYnNwO3RoZXNlIGtleXMgJm5ic3A7b24gYW55IFZQUywgJm5ic3A7SWFhUywgb3I8YnI+CmNv bG9jYXRpb25zIG9yIGFueXRoaW5nIGxpa2UgdGhhdC4gJm5ic3A7IERvaW5nIHNvIGlzIGluIGZh Y3QgZWFzeSwgYW5kPGJyPgptYWtlcyAmbmJzcDt0aGUgJm5ic3A7Z2F0ZXdheSAmbmJzcDt3b3Jr aW5nICZuYnNwO2FnYWluLCAmbmJzcDtidXQgd2lsbCAmbmJzcDtpbnRyb2R1Y2UgJm5ic3A7YSAm bmJzcDtodWdlPGJyPgpzZWN1cml0eSB0aHJlYXQuPGJyPgo8YnI+CkluICZuYnNwO29yZGVyIHRv ICZuYnNwO3Byb3Blcmx5ICZuYnNwO2ZpeCAmbmJzcDt0aGlzIHNpdHV0aW9uLCAmbmJzcDthICZu YnNwO1JFTElBQkxFIHBsYWNlICZuYnNwO2lzPGJyPgptYW5kYXRvcnksIHdoZXJlIG5vIGFjY2Vz cyBpcyAmbmJzcDtwb3NzaWJsZSBmcm9tIHRoZSBpbnRlcm5ldCwgeWV0IHRoZTxicj4KZ2F0ZXdh eSAmbmJzcDtpdHNlbGYgJm5ic3A7Y2FuICZuYnNwO2Nvbm5lY3QgJm5ic3A7dG8gJm5ic3A7PGEg aHJlZj0iaHR0cDovL3J1YnktbGFuZy5vcmciIHRhcmdldD0iX2JsYW5rIj5ydWJ5LWxhbmcub3Jn PC9hPiAmbmJzcDthbmQgJm5ic3A7PGEgaHJlZj0iaHR0cDovL2dpdGh1Yi5jb20iIHRhcmdldD0i X2JsYW5rIj5naXRodWIuY29tPC9hPi48YnI+Ck5vcm1hbCAmbmJzcDtjb21wYW55ICZuYnNwOyBp bnRyYW5ldHMgJm5ic3A7YmVoaW5kICZuYnNwO05BVHMgJm5ic3A7IHNob3VsZCAmbmJzcDtzdWZm aWNlLCAmbmJzcDtsaWtlPGJyPgo8YSBocmVmPSJodHRwOi8vbmV0bGFiLmpwIiB0YXJnZXQ9Il9i bGFuayI+bmV0bGFiLmpwPC9hPiB3YXMsIFRob3VnaCBJIGRvdWJ0IGEgJnF1b3Q7bm9ybWFsJnF1 b3Q7IGNvbXBhbnkgaW50cmFuZXQgd2lsbCBub3Q8YnI+CndlbGNvbWUgYSBibGFjayBib3ggbGlr ZSB0aGUgZ2F0ZXdheS48YnI+Cjxicj4KPT09PT09PT09PGJyPgo8YnI+CkdpdGh1YhskQiUyITwl SCUmJSglJCRPS05JdE4lPyYkS0g8JCREZDtfJDckRiQqJGokXiQ5ISM4PTpfJE4kSCQzJG1JfBso Qjxicj4KGyRCNWwkTjgrOX4kXyRPJDQkNiQkJF4kOyRzISMkMyROJGgkJiRKJSIlSiUmJXMlOSQs O3Y4ZSRLJEokQyRGJDckXiQkGyhCPGJyPgobJEIkXiQ3JD8kMyRIJHI/PCQvJCpPTSRTPz0kNz5l JDIkXiQ5ISM6LDJzJDckLEItJGokRiRKJC8kRiQ0JGEkcyRKJDUbKEI8YnI+ChskQiQkISMbKEI8 YnI+Cjxicj4KGyRCJD0kYiQ9JGIbKEJnaXRodWIbJEIkWCROJTIhPCVIJSYlKCUkJE8yPyRpJCsk TiVXJW0lOCUnJS8lSCRHMytILyQ1JGwkPyRiGyhCPGJyPgobJEIkTiRHJE8kSiQvS05JdCQsPi8k NyQ6JEQySyRyOCskRCQxJEYkTyVhJXMlRiVKJXMlOSQ3JEYkJCQ/JGIkTiRHISIbKEI8YnI+Chsk QiQ9JE48QkJWJE8bKEJOYUNsGyRCRWw1fjtZPFIkTktOSXRASiRLQF9DViQ3JEYkIiRDJD9LTkl0 O2RKKjdXOzs1ISROQ2YkRxsoQjxicj4KGyRCRjAkJCRGJCQkXiQ3JD8hI04lPyYkSzpdJDckMyRO N1c7OzUhJE9EZDtfJE4+ZTB6JC1KJyQkJF4kNyQ/ISMkPSROGyhCPGJyPgobJEIkPyRhJTUhPCVT JTkkYjQsJC1FOiQoJEdEZDtfJDckPyRIJCQkJjdBJEckOSEjGyhCPGJyPgo8YnI+ChskQkl8NWwk SzpdJDckRkxkQmokSCRKJGskTiRPGyhCc3NoGyRCODAkRyQ5ISM7RUFIJF8+ZSEiJTIhPCVIJSYl KCUkJV4lNyVzGyhCPGJyPgobJEIkTxsoQnJ1YnkbJEIkThsoQnN2bhskQiU1ITwlUCRLGyhCc3No GyRCJDckRiVHITwlPyRyPGhGQCQ3JD84ZSEiPCEkSyRPGyhCZ2l0aHViGyRCJEsbKEJzc2gbJEIk NxsoQjxicj4KGyRCJEYlRyE8JT8kcjk5PzckOSRrSSxNVyQsJCIkaiEiJD0kbCRyGyhCY3Jvbhsk QiRHMnMkOTRYNzg+ZSEiJEkkQSRpJEc7SCQmGyhCPGJyPgobJEJIa0wpODAkYiEiJTIhPCVIJSYl KCUkJV4lNyVzPmUkSyEiJVElOSVVJWwhPCU6JEokNyRHQjg6XyQ3JEYkJCRrSSwbKEI8YnI+Chsk Qk1XJCwkIiRqJF4kOSEjGyhCPGJyPgo8YnI+ClJ1YnkbJEIkTiVsJV0lOCVIJWokSyRPJS8laSVD JS8kNSRsJD88QkBTJCwkIiRqJF4kOSEjGyhCZ2l0aHViGyRCJEskYkBIPGVALRsoQjxicj4KGyRC JHJGTSQrJGwkPzxCQFMkLCQiJGokXiQ5ISMkNyQ/JCwkQyRGISIkMyRsJGkkTiVRJTklVSVsITwl OiROJEokJBsoQjxicj4Kc3NoGyRCODAkLE4uPVAkOSRrJE4kTyQrJEokajRtODEkRyQ5ISMkSSRB JGkkTjgwJCxOLj1QJDckRiRiISIbKEJSdWJ5GyRCJE4bKEI8YnI+ChskQiU9ITwlOSUzITwlSSRL MC0wVSQiJGsyfkpRJHIyQyQoJGskMyRIJCwyREc9JEskSiRqJF4kOSEjO2QkSCQ3JEYkTxsoQjxi cj4KGyRCJDMkTjgwJHI8K0osJE40SU19MjwkSyRKJCQ3Vzs7NSEkS0BfQ1YkNyQ/JC8kIiRqJF4k OyRzISMkSSQzJCskThsoQjxicj4KVlBTGyRCJEokSSRyPFokaiRGJTklLyVqJVclSCRyRjAkKyQ7 JFAhIj90SiwkKyRpP3Q7fjRWRHhFWSRHJTIhPCVIJSYbKEI8YnI+ChskQiUoJSQkcjBcQ1skRyQt JGskMyRIJE8zTkcnOlEkXyRHJDkkLCEiJD0kTjNORyckTjpdJEskYjNORyckSyRPGyhCc3NoPGJy PgphZ2VudCBmb3J3YXJkaW5nGyRCJHJNUSQkJF4kNyQ/ISMbKEI8YnI+Cjxicj4KGyRCJDMkJiQk JEMkP019TTMkSyRoJGo6IyQ5JDAkSxsoQmdpdGh1YhskQiRIJE5GMTR8JHJJfDVsJDkkayROJE8k SiQrJEokKyRLGyhCPGJyPgobJEI6JEZxJEckOSEjJCQkZCEiQDUzTiRLOEAkJiROJEckIiRsJFAh IiRZJEQkSzU7PVFFKiRKOiRGcSRPJEokJCROJEAbKEI8YnI+ChskQiQsISIkPSRsJHIkZCRrJEgl OyUtJWUlaiVGJSM+ZSRON3xHMCQsJCIkayEjPi8kSiQvJEgkYjMwSXQlJCVzJT8hPBsoQjxicj4K GyRCJU0lQyVIQiYkKyRpJE4lIiUvJTslOSQsJEckLSRKJCQbKEIoGyRCJCwhIiQzJEEkaSQrJGkk TxsoQjxhIGhyZWY9Imh0dHA6Ly9ydWJ5LWxhbmcub3JnIiB0YXJnZXQ9Il9ibGFuayI+cnVieS1s YW5nLm9yZzwvYT4bJEIkSBsoQjxicj4KPGEgaHJlZj0iaHR0cDovL2dpdGh1Yi5jb20iIHRhcmdl dD0iX2JsYW5rIj5naXRodWIuY29tPC9hPhskQiRYJE4lMyVNJS8lNyVnJXMkLEQlJGwkaxsoQikb JEIlTSVDJUglbyE8JS8kRyEiJCIka0R4RVk/Lk1qJEcbKEI8YnI+ChskQiQtJGslWyU5JUgkNyQr QF9DViQ1JGwkRiQkJEokJD5sPWohIiRLQWpFdiQ5JGs+bD1qJHJDNSQ5SSxNVyQsJCIkaxsoQjxi cj4KGyRCJEgkJCQmRyc8MSRHJCokaiReJDkhIyRZJEQkS0lhREwkTjRrNkgkTjxSRmIlTSVDJUgl byE8JS8kRzk9JG8kSiQkGyhCPGJyPgobJEIkSDtXJCQkXiQ5JCwhIiQ9JDMkSzxSNkgkSDRYNzgk SiQkN1c7OzUhJHJAX0NWJDkka0AnSHMkRyQ5JGgkTSEjGyhCPGJyPgo8YnI+Cjxicj4KLS08YnI+ CjxhIGhyZWY9Imh0dHA6Ly9idWdzLnJ1YnktbGFuZy5vcmcvIiB0YXJnZXQ9Il9ibGFuayI+aHR0 cDovL2J1Z3MucnVieS1sYW5nLm9yZy88L2E+PGJyPgo8YnI+CjwvYmxvY2txdW90ZT48L2Rpdj4K --90e6ba308f2efb6fbf04cada654c--