Page MenuHomePhabricator
Create Task
Maniphest T347408

Do not expose dead git-ssh.wikimedia.org service as repo Clone URLs (defined in diffusion.ssh-host setting)
Open, Stalled, LowPublic
Actions

Description

https://phabricator.wikimedia.org/config/edit/diffusion.ssh-host/ is still set to git-ssh.wikimedia.org which got killed in T296022: Deprecate git-ssh service on phabricator.wikimedia.org:

aklapper@phab1004:~$ sudo /srv/phab/phabricator/bin/config get diffusion.ssh-host
{
  "config": [
    {
      "key": "diffusion.ssh-host",
      "source": "local",
      "value": "git-ssh.wikimedia.org",
      "status": "set",
      "errorInfo": null
    },
    {
      "key": "diffusion.ssh-host",
      "source": "database",
      "value": null,
      "status": "unset",
      "errorInfo": null
    }
  ]
}

It's visible in many Diffusion repositories when you click the green Clone button, e.g. on https://phabricator.wikimedia.org/diffusion/EMMV/

It adds to confusion where potential contributors are supposed to get their code to hack.

Details

TitleReferenceAuthorSource BranchDest Branch
Draft: Do not expose defunct git-ssh.wikimedia.org as repo Clone URLrepos/phabricator/phabricator!21aklapperT347408-hide-gitssh-clone-uriwmf/stable
Customize query in GitLab

Related Objects
Search...

Event Timeline

Aklapper triaged this task as Low priority.Sep 26 2023, 3:23 PM
Aklapper created this task.
Aklapper mentioned this in T347476: Set security.require-https to true.Sep 27 2023, 11:35 AM
thcipriani edited projects, added Release-Engineering-Team (Seen); removed Release-Engineering-Team.Sep 27 2023, 4:54 PM
Aklapper mentioned this in T347577: Understand which repositories we mirror, observe, host in Diffusion (and fix some findings).Oct 24 2023, 8:03 PM
Aklapper renamed this task from Replace dead git-ssh.wikimedia.org service in diffusion.ssh-host setting to Do not expose dead git-ssh.wikimedia.org service as repo Clone URLs (defined in diffusion.ssh-host setting).Oct 24 2023, 11:24 PM
Aklapper claimed this task.Oct 25 2023, 9:05 AM

As a mitigation for the time being, I quickly edited those ~2650 ssh://vcs@git-ssh.wikimedia.org URIs to not be exposed when clicking the green Clone button on a Diffusion repo browsing page in the web browser.

#!/bin/bash
# SELECT u.phid, CONCAT("https://phabricator.wikimedia.org/diffusion/", r.id, "/manage/uris/"), r.name, u.uri, u.displayType FROM phabricator_repository.repository_uri u INNER JOIN phabricator_repository.repository r ON r.phid = u.repositoryPHID WHERE u.builtinProtocol = "ssh" AND u.displayType != "never" AND u.uri = "ssh://callsign";
INFILE=/home/acko/diffusionuris
while read -r URI
do
  echo '{"objectIdentifier":"'$URI'", "transactions": [{"type": "display", "value":"never"}]}' | /var/www/html/phorge/arcanist/bin/arc call-conduit --conduit-uri https://phabricator.wikimedia.org --conduit-token api-xxxxxxxxxxxxxxxxxxxxxxxxxxxx diffusion.uri.edit --
  sleep 5
done < "$INFILE"

Hiding them by default for future repos to be created would require a code change it seems.

CodeReviewBot added a project: Patch-For-Review.Oct 25 2023, 9:05 AM

aklapper opened https://gitlab.wikimedia.org/repos/phabricator/phabricator/-/merge_requests/21

Do not expose defunct git-ssh.wikimedia.org as repo Clone URL

Aklapper mentioned this in T244907: Reduce the number of six default URIs in Diffusion.Oct 25 2023, 9:26 AM
Aklapper added a parent task: T244907: Reduce the number of six default URIs in Diffusion.Fri, Apr 5, 8:48 AM
Aklapper mentioned this in T361997: Expose only canonical Clone URI in Diffusion when repo hosted externally and Differential disabled.Sat, Apr 6, 11:55 AM
Aklapper changed the task status from Open to Stalled.Tue, Apr 16, 4:47 PM

I'd like to stall this on the outcome of T361997 in upstream which might be a way better approach.

Aklapper removed Aklapper as the assignee of this task.Tue, Apr 16, 4:47 PM
Aklapper added a subtask: T361997: Expose only canonical Clone URI in Diffusion when repo hosted externally and Differential disabled.
Aklapper moved this task from To Triage to Administration (UI) on the Phabricator board.Sun, Apr 21, 3:26 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL