Thanks for the upgrade! If anyone except me was greeted by the following strange error after the upgrade:
jas@kaka:~/src/gnulib$ git pull sign_and_send_pubkey: signing failed for ED25519 "cardno:FFFE42315277" from agent: agent refused operation j...@git.sv.gnu.org's password: The reason is that you are running a too old GnuPG version. Alas Trisquel 11 (and therefor Ubuntu 22.04) is shipping this old version, so many may be affected. See bug report here: https://dev.gnupg.org/T5931 One way to work around this is to insert this into your ~/.ssh/config: Host git.sv.gnu.org # https://dev.gnupg.org/T5931 # KexAlgorithms -sntrup761x25519-sha...@openssh.com PubkeyAuthentication=unbound As you can see another workaround is to disable sntrup761x2559, but it is a security tradeoff which option to disable. Of course, upgrading GnuPG is better, but for those of us to chose to stay on Trisquel 11 the above may be a simpler way forward. /Simon Bob Proulx <b...@proulx.com> writes: > Savannah Hackers, > > I sent this to savannah-users for user consumption and am forwarding > it to savannah-hackers-public for hacker consumption. > > Bob > > From: Bob Proulx <b...@proulx.com> > Subject: git server upgraded > To: savannah-us...@gnu.org > Date: Fri, 20 Sep 2024 14:57:56 -0600 (10 hours, 13 minutes, 47 seconds ago) > Mail-Followup-To: savannah-us...@gnu.org > > Savannah Users, > > TL;DR: git server upgraded, please report any problems > > Hello Everyone! Just a quick state of the system on the git services > side of things. A quick back notification on the SQL database system. > A hint at continuing upgrades in the works. > > After various obstacles were cleared the git service has been migrated > from the previous Trisquel 9 system to a current Trisquel 11 system. > This brings in updates to git, updates to OpenSSH used for member > access, updates to nginx used for HTTP access, and upgrades to cgit > used for web side browsing of the version history. > > Among the obstacles the MariaDB API used to access the SQL database > changed program interfaces which broke building the libnss-mysql > library used to bridge those two things. The change was minor. The > reconnect structure member has been deprecated for a looong time and > has finally been removed entirely. But it was working, it was > compiling, no problems were seen. Until it was compiled on Trisquel > 10 with the updated MariaDB client development there. Yes I know that > was 10 and 11 has been out for a while. But that's why we didn't get > this done for Trisquel 10. Life and time is what keeps everything > from happening all at once. > > It's now been updated. We are using it for Savannah and need it. I > have been maintaining it for Savannah's use. I decided to make more > complete upgrades to it. Updated the C code for that API change. And > then spent more time updating the autotools build system used by it. > Changes to the GNU autotools required more updating than the C API > change! And then also updated the deb packaging. There is still more > work needed to polish up the deb packaging but it's function again and > everything is working on the current Trisquel 11. I expect when 12 > releases that we will be able to roll to it quickly. > > https://git.savannah.gnu.org/cgit/administration/libnss-mysql.git/ > https://download.savannah.gnu.org/releases/administration/libnss-mysql/ > > Another much more minor obstacle was that git version 2.35.2 > introduced a security check for CVE-2022-24765 with this commit > of interest to us. > > https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9 > > My paraphrased summary is that a social engineering attack was > possible mostly in an education environment where a combination of a > git enabled PS1 prompt along with a malicious person crafting a .git > directory above the work area of others can execute code as that other > user leading to a compromise of their account. The git upstream fix > to this problem now checks that the git repository directory owner is > the same user as the current user or it exits with a fatal error. > > Immediately you can see that in a multi-member project such as those > hosted on Savannah only one user can own the repository and all of the > other committing members are left out unable to also own it. Git will > immediately exit with the fatal error. It's changes such as this > which make DevOps "interesting" in the curse sense of the word. > Fortunately we normally create upgraded systems over in a development > area first, find these types of problems there, mitigate them, and > then roll services onto the production system after having already > mitigated the problem. > > In this case git now requires a never before needed /etc/gitconfig > file instructing git to ignore this check for our Savannah > repositories. We don't have the same environment the check is > designed to protect people from that type of an attack and must > disable it in order to host multi-member projects. > > I mentioned the SQL server was previously upgraded. That was less > exciting. Which is good! Not Internet facing. No one would notice > the difference. The MariaDB SQL database server was previously > upgraded from Trisquel 9 to the current Trisquel 11 as well. At that > opportunistic time the database engines were upgraded from the many > that were MyIASM to InnoDB. I might describe InnoDB as the new engine > but it's been the default since 2010. But Savannah's database has > been around since 2000 and predates this. InnoDB is ACID compliant > (what you want in a database) and enables future improvements such as > replication. The charsets were also upgraded uniformly at the same > time to utf8mb4 from their eclectic collection of latin1 and utf8. > This should avoid some of the strange multi-byte character issues. > > There is a known problem with cgit's index page. No one has been able > to determine why but the problem has been reported (THANK YOU for the > problem reports!) and reproduced very often now. The index page has > garbled project links. We know about it. We have tried to debug it. > So far no joy at determining the problem. The problem appears and > then disappears. And to both servers at the same time. > > https://git.savannah.gnu.org/cgit/ (link mangling bug) > > With the new server upgrade almost ready I decided to push the server > upgrade through before working on the cgit index page debugging. Now > that the new system is online I will be focusing effort on debugging > and fixing the cgit index page problem. > > The Subversion server is next on my task queue for upgrade. > Subversion as with the other version control systems all share the > same MariaDB SQL user account database and therefore did share in that > system upgrade. Subversion is not forgotten. Subversion has been > working away trouble free and I hate to mess with trouble-free working > systems! It's been rock solid reliable. But it's time to upgrade its > server too. That will again upgrade member ssh access. It will > upgrade anonymous read-only checkout via Apache's WebDAV interface. > That's in the task queue and will be happening not far off now. > > I haven't yet mentioned hg and bzr yet. Not forgotten. But later > down in the task queue. > > This has been a quick state of the Savannah vcs system update! > Bob > > > ---------- >
signature.asc
Description: PGP signature
