From: Luis Lavena <luislavena@...>
Date: 2012-09-30T02:21:13+09:00
Subject: [ruby-core:47742] Re: [ruby-trunk - Bug #7085][Open] Subversion 	→ GitHub gateway stops.

--90e6ba308f2efb6fbf04cada654c
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit

Thank you Shyouhei Urabe,

Wouldn't be possible setup the bridge on same subversion server so it
doesn't require ssh keys to push?

The idea is: subversion repository is local, so is git repository.

We expose git repo too as read-only and we can ask github to mirror it as
github.com/ruby/ruby

That way we don't need ssh keys and basic gateway can run secure.

Who provides ruby svn?

Sorry for top posting. Sent from mobile.
On Sep 29, 2012 9:40 AM, "shyouhei (Shyouhei Urabe)" <shyouhei@ruby-lang.org>
wrote:

>
> Issue #7085 has been reported by shyouhei (Shyouhei Urabe).
>
> ----------------------------------------
> Bug #7085: Subversion → GitHub gateway stops.
> https://bugs.ruby-lang.org/issues/7085
>
> Author: shyouhei (Shyouhei Urabe)
> Status: Open
> Priority: Immediate
> Assignee:
> Category: Project
> Target version:
> ruby -v: not version dependent
>
>
> Abstract: Sorry  for your inconvenience.  Due to  my resigning job
> at  netlab.jp, the Subversion  to GitHub  gateway stops  now.  The
> gateway was located there, maintained by me.
>
> Biggest problem to reboot the gateway is its ssh private keys.  it
> first ssh into the canonical svn server to pull the repo, then ssh
> into github to  push it.  Both ssh sessions  need private keys and
> as the gateway  runs totally automatic using cron,  those keys are
> not passphrased.
>
> Ruby's  canonical repo  has once  been cracked.   GitHub  also had
> vulnerability  before.  Leaking  these  keys is  a serious  threat
> against our  project. A malicious  codes can be injected  by using
> (either of) them.
>
> So sorry,  I don't  want to put  these keys  on any VPS,  IaaS, or
> colocations or anything like that.   Doing so is in fact easy, and
> makes  the  gateway  working  again,  but will  introduce  a  huge
> security threat.
>
> In  order to  properly  fix  this sitution,  a  RELIABLE place  is
> mandatory, where no access is  possible from the internet, yet the
> gateway  itself  can  connect  to  ruby-lang.org  and  github.com.
> Normal  company   intranets  behind  NATs   should  suffice,  like
> netlab.jp was, Though I doubt a "normal" company intranet will not
> welcome a black box like the gateway.
>
> =========
>
> Githubゲートウエイは卜部離職に伴い停止しております。現在のところ復
> 旧の見込みはございません。このようなアナウンスが事後になってしまい
> ましたことを深くお詫び申し上げます。根回しが足りてなくてごめんなさ
> い。
>
> そもそもgithubへのゲートウエイは何らかのプロジェクトで開発されたも
> のではなく卜部が少しずつ暇を見つけてはメンテナンスしていたもので、
> その実態はNaCl東京支社の卜部席に設置してあった卜部私物計算機の中で
> 動いていました。離職に際しこの計算機は停止の上引き払いました。その
> ためサービスも巻き添えで停止したという形です。
>
> 復旧に際して問題となるのはssh鍵です。仕組み上、ゲートウエイマシン
> はrubyのsvnサーバにsshしてデータを取得した後、次にはgithubにsshし
> てデータを更新する必要があり、それをcronで回す関係上、どちらで使う
> 秘密鍵も、ゲートウエイマシン上に、パスフレーズなしで存在している必
> 要があります。
>
> Rubyのレポジトリにはクラックされた実績があります。githubにも脆弱性
> を突かれた実績があります。したがって、これらのパスフレーズのない
> ssh鍵が流出するのはかなり危険です。どちらの鍵が流出しても、Rubyの
> ソースコードに悪意ある改変を加えることが可能になります。私としては
> この鍵を自分の管理下にない計算機に設置したくありません。どこかの
> VPSなどを借りてスクリプトを動かせば、数分から数時間程度でゲートウ
> エイを移築できることは確認済みですが、その確認の際にも確認にはssh
> agent forwardingを用いました。
>
> こういった理由により今すぐにgithubとの同期を復旧するのはなかなかに
> 困難です。いや、正確に言うのであれば、べつに技術的な困難はないのだ
> が、それをやるとセキュリティ上の懸念がある。少なくとも外部インター
> ネット側からのアクセスができない(が、こちらからはruby-lang.orgと
> github.comへのコネクションが張れる)ネットワークで、ある程度信頼で
> きるホストしか設置されていない場所、に相当する場所を探す必要がある
> という認識でおります。べつに普通の企業の社内ネットワークで構わない
> と思いますが、そこに社業と関係ない計算機を設置する是非ですよね。
>
>
> --
> http://bugs.ruby-lang.org/
>
>

--90e6ba308f2efb6fbf04cada654c
Content-Type: text/html; charset=ISO-2022-JP
Content-Transfer-Encoding: base64

PHA+VGhhbmsgeW91IFNoeW91aGVpIFVyYWJlLCA8L3A+CjxwPldvdWxkbiYjMzk7dCBiZSBwb3Nz
aWJsZSBzZXR1cCB0aGUgYnJpZGdlIG9uIHNhbWUgc3VidmVyc2lvbiBzZXJ2ZXIgc28gaXQgZG9l
c24mIzM5O3QgcmVxdWlyZSBzc2gga2V5cyB0byBwdXNoPyA8L3A+CjxwPlRoZSBpZGVhIGlzOiBz
dWJ2ZXJzaW9uIHJlcG9zaXRvcnkgaXMgbG9jYWwsIHNvIGlzIGdpdCByZXBvc2l0b3J5LiA8L3A+
CjxwPldlIGV4cG9zZSBnaXQgcmVwbyB0b28gYXMgcmVhZC1vbmx5IGFuZCB3ZSBjYW4gYXNrIGdp
dGh1YiB0byBtaXJyb3IgaXQgYXMgPGEgaHJlZj0iaHR0cDovL2dpdGh1Yi5jb20vcnVieS9ydWJ5
Ij5naXRodWIuY29tL3J1YnkvcnVieTwvYT48L3A+CjxwPlRoYXQgd2F5IHdlIGRvbiYjMzk7dCBu
ZWVkIHNzaCBrZXlzIGFuZCBiYXNpYyBnYXRld2F5IGNhbiBydW4gc2VjdXJlLiA8L3A+CjxwPldo
byBwcm92aWRlcyBydWJ5IHN2bj8gPC9wPgo8cD5Tb3JyeSBmb3IgdG9wIHBvc3RpbmcuIFNlbnQg
ZnJvbSBtb2JpbGUuPC9wPgo8ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+T24gU2VwIDI5LCAyMDEy
IDk6NDAgQU0sICZxdW90O3NoeW91aGVpIChTaHlvdWhlaSBVcmFiZSkmcXVvdDsgJmx0OzxhIGhy
ZWY9Im1haWx0bzpzaHlvdWhlaUBydWJ5LWxhbmcub3JnIj5zaHlvdWhlaUBydWJ5LWxhbmcub3Jn
PC9hPiZndDsgd3JvdGU6PGJyIHR5cGU9ImF0dHJpYnV0aW9uIj48YmxvY2txdW90ZSBjbGFzcz0i
Z21haWxfcXVvdGUiIHN0eWxlPSJtYXJnaW46MCAwIDAgLjhleDtib3JkZXItbGVmdDoxcHggI2Nj
YyBzb2xpZDtwYWRkaW5nLWxlZnQ6MWV4Ij4KPGJyPgpJc3N1ZSAjNzA4NSBoYXMgYmVlbiByZXBv
cnRlZCBieSBzaHlvdWhlaSAoU2h5b3VoZWkgVXJhYmUpLjxicj4KPGJyPgotLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tPGJyPgpCdWcgIzcwODU6IFN1YnZlcnNpb24gGyRC
IiobKEIgR2l0SHViIGdhdGV3YXkgc3RvcHMuPGJyPgo8YSBocmVmPSJodHRwczovL2J1Z3MucnVi
eS1sYW5nLm9yZy9pc3N1ZXMvNzA4NSIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vYnVncy5ydWJ5
LWxhbmcub3JnL2lzc3Vlcy83MDg1PC9hPjxicj4KPGJyPgpBdXRob3I6IHNoeW91aGVpIChTaHlv
dWhlaSBVcmFiZSk8YnI+ClN0YXR1czogT3Blbjxicj4KUHJpb3JpdHk6IEltbWVkaWF0ZTxicj4K
QXNzaWduZWU6PGJyPgpDYXRlZ29yeTogUHJvamVjdDxicj4KVGFyZ2V0IHZlcnNpb246PGJyPgpy
dWJ5IC12OiBub3QgdmVyc2lvbiBkZXBlbmRlbnQ8YnI+Cjxicj4KPGJyPgpBYnN0cmFjdDogU29y
cnkgJm5ic3A7Zm9yIHlvdXIgaW5jb252ZW5pZW5jZS4gJm5ic3A7RHVlIHRvICZuYnNwO215IHJl
c2lnbmluZyBqb2I8YnI+CmF0ICZuYnNwOzxhIGhyZWY9Imh0dHA6Ly9uZXRsYWIuanAiIHRhcmdl
dD0iX2JsYW5rIj5uZXRsYWIuanA8L2E+LCB0aGUgU3VidmVyc2lvbiAmbmJzcDt0byBHaXRIdWIg
Jm5ic3A7Z2F0ZXdheSBzdG9wcyAmbmJzcDtub3cuICZuYnNwO1RoZTxicj4KZ2F0ZXdheSB3YXMg
bG9jYXRlZCB0aGVyZSwgbWFpbnRhaW5lZCBieSBtZS48YnI+Cjxicj4KQmlnZ2VzdCBwcm9ibGVt
IHRvIHJlYm9vdCB0aGUgZ2F0ZXdheSBpcyBpdHMgc3NoIHByaXZhdGUga2V5cy4gJm5ic3A7aXQ8
YnI+CmZpcnN0IHNzaCBpbnRvIHRoZSBjYW5vbmljYWwgc3ZuIHNlcnZlciB0byBwdWxsIHRoZSBy
ZXBvLCB0aGVuIHNzaDxicj4KaW50byBnaXRodWIgdG8gJm5ic3A7cHVzaCBpdC4gJm5ic3A7Qm90
aCBzc2ggc2Vzc2lvbnMgJm5ic3A7bmVlZCBwcml2YXRlIGtleXMgYW5kPGJyPgphcyB0aGUgZ2F0
ZXdheSAmbmJzcDtydW5zIHRvdGFsbHkgYXV0b21hdGljIHVzaW5nIGNyb24sICZuYnNwO3Rob3Nl
IGtleXMgYXJlPGJyPgpub3QgcGFzc3BocmFzZWQuPGJyPgo8YnI+ClJ1YnkmIzM5O3MgJm5ic3A7
Y2Fub25pY2FsIHJlcG8gJm5ic3A7aGFzIG9uY2UgJm5ic3A7YmVlbiBjcmFja2VkLiAmbmJzcDsg
R2l0SHViICZuYnNwO2Fsc28gaGFkPGJyPgp2dWxuZXJhYmlsaXR5ICZuYnNwO2JlZm9yZS4gJm5i
c3A7TGVha2luZyAmbmJzcDt0aGVzZSAmbmJzcDtrZXlzIGlzICZuYnNwO2Egc2VyaW91cyAmbmJz
cDt0aHJlYXQ8YnI+CmFnYWluc3Qgb3VyICZuYnNwO3Byb2plY3QuIEEgbWFsaWNpb3VzICZuYnNw
O2NvZGVzIGNhbiBiZSBpbmplY3RlZCAmbmJzcDtieSB1c2luZzxicj4KKGVpdGhlciBvZikgdGhl
bS48YnI+Cjxicj4KU28gc29ycnksICZuYnNwO0kgZG9uJiMzOTt0ICZuYnNwO3dhbnQgdG8gcHV0
ICZuYnNwO3RoZXNlIGtleXMgJm5ic3A7b24gYW55IFZQUywgJm5ic3A7SWFhUywgb3I8YnI+CmNv
bG9jYXRpb25zIG9yIGFueXRoaW5nIGxpa2UgdGhhdC4gJm5ic3A7IERvaW5nIHNvIGlzIGluIGZh
Y3QgZWFzeSwgYW5kPGJyPgptYWtlcyAmbmJzcDt0aGUgJm5ic3A7Z2F0ZXdheSAmbmJzcDt3b3Jr
aW5nICZuYnNwO2FnYWluLCAmbmJzcDtidXQgd2lsbCAmbmJzcDtpbnRyb2R1Y2UgJm5ic3A7YSAm
bmJzcDtodWdlPGJyPgpzZWN1cml0eSB0aHJlYXQuPGJyPgo8YnI+CkluICZuYnNwO29yZGVyIHRv
ICZuYnNwO3Byb3Blcmx5ICZuYnNwO2ZpeCAmbmJzcDt0aGlzIHNpdHV0aW9uLCAmbmJzcDthICZu
YnNwO1JFTElBQkxFIHBsYWNlICZuYnNwO2lzPGJyPgptYW5kYXRvcnksIHdoZXJlIG5vIGFjY2Vz
cyBpcyAmbmJzcDtwb3NzaWJsZSBmcm9tIHRoZSBpbnRlcm5ldCwgeWV0IHRoZTxicj4KZ2F0ZXdh
eSAmbmJzcDtpdHNlbGYgJm5ic3A7Y2FuICZuYnNwO2Nvbm5lY3QgJm5ic3A7dG8gJm5ic3A7PGEg
aHJlZj0iaHR0cDovL3J1YnktbGFuZy5vcmciIHRhcmdldD0iX2JsYW5rIj5ydWJ5LWxhbmcub3Jn
PC9hPiAmbmJzcDthbmQgJm5ic3A7PGEgaHJlZj0iaHR0cDovL2dpdGh1Yi5jb20iIHRhcmdldD0i
X2JsYW5rIj5naXRodWIuY29tPC9hPi48YnI+Ck5vcm1hbCAmbmJzcDtjb21wYW55ICZuYnNwOyBp
bnRyYW5ldHMgJm5ic3A7YmVoaW5kICZuYnNwO05BVHMgJm5ic3A7IHNob3VsZCAmbmJzcDtzdWZm
aWNlLCAmbmJzcDtsaWtlPGJyPgo8YSBocmVmPSJodHRwOi8vbmV0bGFiLmpwIiB0YXJnZXQ9Il9i
bGFuayI+bmV0bGFiLmpwPC9hPiB3YXMsIFRob3VnaCBJIGRvdWJ0IGEgJnF1b3Q7bm9ybWFsJnF1
b3Q7IGNvbXBhbnkgaW50cmFuZXQgd2lsbCBub3Q8YnI+CndlbGNvbWUgYSBibGFjayBib3ggbGlr
ZSB0aGUgZ2F0ZXdheS48YnI+Cjxicj4KPT09PT09PT09PGJyPgo8YnI+CkdpdGh1YhskQiUyITwl
SCUmJSglJCRPS05JdE4lPyYkS0g8JCREZDtfJDckRiQqJGokXiQ5ISM4PTpfJE4kSCQzJG1JfBso
Qjxicj4KGyRCNWwkTjgrOX4kXyRPJDQkNiQkJF4kOyRzISMkMyROJGgkJiRKJSIlSiUmJXMlOSQs
O3Y4ZSRLJEokQyRGJDckXiQkGyhCPGJyPgobJEIkXiQ3JD8kMyRIJHI/PCQvJCpPTSRTPz0kNz5l
JDIkXiQ5ISM6LDJzJDckLEItJGokRiRKJC8kRiQ0JGEkcyRKJDUbKEI8YnI+ChskQiQkISMbKEI8
YnI+Cjxicj4KGyRCJD0kYiQ9JGIbKEJnaXRodWIbJEIkWCROJTIhPCVIJSYlKCUkJE8yPyRpJCsk
TiVXJW0lOCUnJS8lSCRHMytILyQ1JGwkPyRiGyhCPGJyPgobJEIkTiRHJE8kSiQvS05JdCQsPi8k
NyQ6JEQySyRyOCskRCQxJEYkTyVhJXMlRiVKJXMlOSQ3JEYkJCQ/JGIkTiRHISIbKEI8YnI+Chsk
QiQ9JE48QkJWJE8bKEJOYUNsGyRCRWw1fjtZPFIkTktOSXRASiRLQF9DViQ3JEYkIiRDJD9LTkl0
O2RKKjdXOzs1ISROQ2YkRxsoQjxicj4KGyRCRjAkJCRGJCQkXiQ3JD8hI04lPyYkSzpdJDckMyRO
N1c7OzUhJE9EZDtfJE4+ZTB6JC1KJyQkJF4kNyQ/ISMkPSROGyhCPGJyPgobJEIkPyRhJTUhPCVT
JTkkYjQsJC1FOiQoJEdEZDtfJDckPyRIJCQkJjdBJEckOSEjGyhCPGJyPgo8YnI+ChskQkl8NWwk
SzpdJDckRkxkQmokSCRKJGskTiRPGyhCc3NoGyRCODAkRyQ5ISM7RUFIJF8+ZSEiJTIhPCVIJSYl
KCUkJV4lNyVzGyhCPGJyPgobJEIkTxsoQnJ1YnkbJEIkThsoQnN2bhskQiU1ITwlUCRLGyhCc3No
GyRCJDckRiVHITwlPyRyPGhGQCQ3JD84ZSEiPCEkSyRPGyhCZ2l0aHViGyRCJEsbKEJzc2gbJEIk
NxsoQjxicj4KGyRCJEYlRyE8JT8kcjk5PzckOSRrSSxNVyQsJCIkaiEiJD0kbCRyGyhCY3Jvbhsk
QiRHMnMkOTRYNzg+ZSEiJEkkQSRpJEc7SCQmGyhCPGJyPgobJEJIa0wpODAkYiEiJTIhPCVIJSYl
KCUkJV4lNyVzPmUkSyEiJVElOSVVJWwhPCU6JEokNyRHQjg6XyQ3JEYkJCRrSSwbKEI8YnI+Chsk
Qk1XJCwkIiRqJF4kOSEjGyhCPGJyPgo8YnI+ClJ1YnkbJEIkTiVsJV0lOCVIJWokSyRPJS8laSVD
JS8kNSRsJD88QkBTJCwkIiRqJF4kOSEjGyhCZ2l0aHViGyRCJEskYkBIPGVALRsoQjxicj4KGyRC
JHJGTSQrJGwkPzxCQFMkLCQiJGokXiQ5ISMkNyQ/JCwkQyRGISIkMyRsJGkkTiVRJTklVSVsITwl
OiROJEokJBsoQjxicj4Kc3NoGyRCODAkLE4uPVAkOSRrJE4kTyQrJEokajRtODEkRyQ5ISMkSSRB
JGkkTjgwJCxOLj1QJDckRiRiISIbKEJSdWJ5GyRCJE4bKEI8YnI+ChskQiU9ITwlOSUzITwlSSRL
MC0wVSQiJGsyfkpRJHIyQyQoJGskMyRIJCwyREc9JEskSiRqJF4kOSEjO2QkSCQ3JEYkTxsoQjxi
cj4KGyRCJDMkTjgwJHI8K0osJE40SU19MjwkSyRKJCQ3Vzs7NSEkS0BfQ1YkNyQ/JC8kIiRqJF4k
OyRzISMkSSQzJCskThsoQjxicj4KVlBTGyRCJEokSSRyPFokaiRGJTklLyVqJVclSCRyRjAkKyQ7
JFAhIj90SiwkKyRpP3Q7fjRWRHhFWSRHJTIhPCVIJSYbKEI8YnI+ChskQiUoJSQkcjBcQ1skRyQt
JGskMyRIJE8zTkcnOlEkXyRHJDkkLCEiJD0kTjNORyckTjpdJEskYjNORyckSyRPGyhCc3NoPGJy
PgphZ2VudCBmb3J3YXJkaW5nGyRCJHJNUSQkJF4kNyQ/ISMbKEI8YnI+Cjxicj4KGyRCJDMkJiQk
JEMkP019TTMkSyRoJGo6IyQ5JDAkSxsoQmdpdGh1YhskQiRIJE5GMTR8JHJJfDVsJDkkayROJE8k
SiQrJEokKyRLGyhCPGJyPgobJEI6JEZxJEckOSEjJCQkZCEiQDUzTiRLOEAkJiROJEckIiRsJFAh
IiRZJEQkSzU7PVFFKiRKOiRGcSRPJEokJCROJEAbKEI8YnI+ChskQiQsISIkPSRsJHIkZCRrJEgl
OyUtJWUlaiVGJSM+ZSRON3xHMCQsJCIkayEjPi8kSiQvJEgkYjMwSXQlJCVzJT8hPBsoQjxicj4K
GyRCJU0lQyVIQiYkKyRpJE4lIiUvJTslOSQsJEckLSRKJCQbKEIoGyRCJCwhIiQzJEEkaSQrJGkk
TxsoQjxhIGhyZWY9Imh0dHA6Ly9ydWJ5LWxhbmcub3JnIiB0YXJnZXQ9Il9ibGFuayI+cnVieS1s
YW5nLm9yZzwvYT4bJEIkSBsoQjxicj4KPGEgaHJlZj0iaHR0cDovL2dpdGh1Yi5jb20iIHRhcmdl
dD0iX2JsYW5rIj5naXRodWIuY29tPC9hPhskQiRYJE4lMyVNJS8lNyVnJXMkLEQlJGwkaxsoQikb
JEIlTSVDJUglbyE8JS8kRyEiJCIka0R4RVk/Lk1qJEcbKEI8YnI+ChskQiQtJGslWyU5JUgkNyQr
QF9DViQ1JGwkRiQkJEokJD5sPWohIiRLQWpFdiQ5JGs+bD1qJHJDNSQ5SSxNVyQsJCIkaxsoQjxi
cj4KGyRCJEgkJCQmRyc8MSRHJCokaiReJDkhIyRZJEQkS0lhREwkTjRrNkgkTjxSRmIlTSVDJUgl
byE8JS8kRzk9JG8kSiQkGyhCPGJyPgobJEIkSDtXJCQkXiQ5JCwhIiQ9JDMkSzxSNkgkSDRYNzgk
SiQkN1c7OzUhJHJAX0NWJDkka0AnSHMkRyQ5JGgkTSEjGyhCPGJyPgo8YnI+Cjxicj4KLS08YnI+
CjxhIGhyZWY9Imh0dHA6Ly9idWdzLnJ1YnktbGFuZy5vcmcvIiB0YXJnZXQ9Il9ibGFuayI+aHR0
cDovL2J1Z3MucnVieS1sYW5nLm9yZy88L2E+PGJyPgo8YnI+CjwvYmxvY2txdW90ZT48L2Rpdj4K
--90e6ba308f2efb6fbf04cada654c--