Last Comment Bug 979986 - We checkout lot of modules using insecure git: protocol
: We checkout lot of modules using insecure git: protocol
Status: NEW
:
Product: Firefox OS
Classification: Client Software
Component: General (show other bugs)
: unspecified
: x86_64 Gonk (Firefox OS)
-- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-05 11:02 PST by Hubert Figuiere [:hub]
Modified: 2014-05-26 05:05 PDT (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
[PULL REQUEST] Use HTTPS instead of GIT or HTTP for all repositories (52 bytes, text/x-github-pull-request)
2014-04-24 00:49 PDT, Gabriele Svelto [:gsvelto]
no flags Details | Review | Splinter Review

Description User image Hubert Figuiere [:hub] 2014-03-05 11:02:36 PST
We checkout lot of modules using insecure git: protocol

We should switch to https: instead. Github, Code Aurora.

I had originally filed bug 979136 concerning tarako being checkout out over http:.
Comment 1 User image Hubert Figuiere [:hub] 2014-03-05 11:04:10 PST
Hamachi or emulator tree:

 <remote name="b2g"
          fetch="git://github.com/mozilla-b2g/" />
  <remote name="mozilla"
          fetch="git://github.com/mozilla/" />
  <remote name="caf"
          fetch="git://codeaurora.org/" />
Comment 2 User image Gabriele Svelto [:gsvelto] 2014-04-24 00:49:24 PDT
Created attachment 8411629 [details] [review]
[PULL REQUEST] Use HTTPS instead of GIT or HTTP for all repositories

I've taken an interest in this bug because I'm mentoring a student for a Firefox OS-related GSoC project and he's behind a college firewall that doesn't allow git:// connections. Since we needed a way to punch through that firewall and I remembered we had this bug lying around here's a tentative PR. A few notes:

- This has received very light manual testing. I have a script to test this that will try to configure for each and every device and ensures everything runs fine. That will take a *long* time to run so I'm holding that back until we're sure we want to do this.

- For linaro.org and codeaurora.org I had to switch to our mirrors on git.mozilla.org (external/linaro and external/caf respectively) as the original repositores don't support fetching over HTTPS AFAIK.

- For GitHub and git.mozilla.org I just switched all links to HTTPS since both already support that.

- There's still a couple of repos I haven't fixed yet:
  * http://sprdsource.spreadtrum.com which I think we're mirroring too but I'm not sure just yet so I have to test
  * git://codeaurora.org/quic/qrd-android which I also don't think we're mirroring, that will need further investigation
Comment 3 User image Hubert Figuiere [:hub] 2014-04-24 08:19:29 PDT
If your student doesn't do anything with Tarako it should be ok with SPRD which is covered by bug 979136. But if we mirror them I'd clearly encourage use to use the mirrors and a checkout takes a lot of time.
Comment 4 User image Gabriele Svelto [:gsvelto] 2014-04-25 10:30:50 PDT
(In reply to Hubert Figuiere [:hub] from comment #3)
> If your student doesn't do anything with Tarako it should be ok with SPRD
> which is covered by bug 979136.

For now he's using only the emulator so that's covered by this partial PR.

> But if we mirror them I'd clearly encourage
> use to use the mirrors and a checkout takes a lot of time.

Absolutely, the Spreadtrum repos have been pretty slow but codeaurora.org and linaro.org also gave me headaches from time to time. If we could mirror everything on git.mozilla.org I'd be a lot happier (even though they had their fair share of problems too, see bug 985864; but at least we'd be in control).
Comment 5 User image Michael Wu [:mwu] 2014-05-23 13:49:00 PDT
Comment on attachment 8411629 [details] [review]
[PULL REQUEST] Use HTTPS instead of GIT or HTTP for all repositories

I have no idea how this is going to interact with our tbpl builds. You should find someone from releng who knows if this will break things. The build scripts strip out our set of remotes and replace them with a set pointing to gitmo mirrors.

Linaro repos should be replaced with caf or aosp equivalents (depending on the local default) and the remote for linaro removed entirely.

The github switch to https looks good.

I'm not comfortable with switching caf to the gitmo mirror. We should point as close to upstream as possible.
Comment 6 User image Gabriele Svelto [:gsvelto] 2014-05-26 03:05:37 PDT
Thanks for the feedback Michael.

(In reply to Michael Wu [:mwu] from comment #5)
> I have no idea how this is going to interact with our tbpl builds. You
> should find someone from releng who knows if this will break things. The
> build scripts strip out our set of remotes and replace them with a set
> pointing to gitmo mirrors.

Good to know; I had no idea it worked this way, I'll have to ask around.

> Linaro repos should be replaced with caf or aosp equivalents (depending on
> the local default) and the remote for linaro removed entirely.

Sounds good, that should be a trivial change.

> I'm not comfortable with switching caf to the gitmo mirror. We should point
> as close to upstream as possible.

OK, that kind of defeats the purpose of this bug because to my knowledge codeaurora.org only provides repositories over git://. Still, there's something that can be done anyway, I see three scenarios in our manifests:

- Places where we use caf with a generic tag that is also available on aosp, since those do not contain anything specific to caf, I think those could be safely switched to aosp

- Places where we use caf with a b2g-specific tag (e.g. b2g/ics_strawberry), obviously we can't switch those to aosp but I wonder whose version is closer to home in that case, ours (gitmo) or theirs (caf)?

- Places where we use caf with an old-style b2g-specific tag (e.g. AU_LINUX_GECKO_ICS_STRAWBERRY.01.00.00.19.161), this seems mostly restricted to peak and keon so I don't think we'll see many of those in the future

I'll update my PR by leaving alone the b2g-specific caf branches and I'll ask for feedback from releng to see if this is workable. Afterwards we'll see if something can be done for the caf-specific bits or not.
Comment 7 User image Gabriele Svelto [:gsvelto] 2014-05-26 05:05:50 PDT
Scratch part of my previous comments: in some repos the revision used from the caf mirror is not present in the aosp one even though the original source comes from aosp. This makes switching those sources to aosp a tricky proposition. I think I'll limit my changes only to what's really safe.

Note You need to log in before you can comment on or make changes to this bug.