Home » Posts tagged "git" (Page 2)

Homebrew 蒐集到的安裝資訊

在「Homebrew Analytics Install On Request Events — Homebrew」這邊,Homebrew 利用了傳回來的資訊算出 2016/07/14 到 2017/07/14 的安裝套件次數,列出前一千名。(我是把他關掉,因為隱私問題不想要傳出去... 參考「Homebrew 會將安裝資訊送到 Google Analytics 上」這篇。)

比較有趣的是第一名的 node 超級多,比第二名加第三名的 git + wget 還多...

拿來翻一翻還 ok,順便看一下大家用什麼...

在 Git/Mercurial/Subversion 上 "-" 發生的問題

在「[ANNOUNCE] Git v2.14.1, v2.13.5, and others」這邊看到 - 開頭產生的問題:

These contain a security fix for CVE-2017-1000117, and are released in coordination with Subversion and Mercurial that share a similar issue. CVE-2017-9800 and CVE-2017-1000116 are assigned to these systems, respectively, for issues similar to it that are now addressed in their part of this coordinated release.

這算是老問題了,Git 對應的修正主要是朝 filter input 的方向修正,包括了禁用 - 開頭的 hostname,以及禁止 GIT_PROXY_COMMAND- 開頭,另外是禁止開頭是 - 的 repository name:

  • A "ssh://..." URL can result in a "ssh" command line with a hostname that begins with a dash "-", which would cause the "ssh" command to instead (mis)treat it as an option. This is now prevented by forbidding such a hostname (which should not impact any real-world usage).
  • Similarly, when GIT_PROXY_COMMAND is configured, the command is run with host and port that are parsed out from "ssh://..." URL; a poorly written GIT_PROXY_COMMAND could be tricked into treating a string that begins with a dash "-" as an option. This is now prevented by forbidding such a hostname and port number (again, which should not impact any real-world usage).
  • In the same spirit, a repository name that begins with a dash "-" is also forbidden now.

然後中華電信的 DNS server (168.95.1.1 & 168.95.192.1) 都查不到 marc.info,改用 Google 的 8.8.8.8 才查得到... =_=

GitHub 引入 Code Owner 的概念

GitHub 推出了 Code Owner 的概念:「Introducing code owners」。也很直接說這個能是向 Chromium「致敬」出來的:

The code owners feature was inspired by Chromium's use of OWNERS files.

檔案名稱是 CODEOWNERS,可以放在根目錄或是 .github/ 下,可以針對不同的目錄設不同的人:

To specify code owners, create a file named CODEOWNERS in the repository's root directory (or in .github/ if you prefer) with the following format[.]

這樣一來,在 pull request 的時候就會跳出來:

另外也可以設定需要 code owner 同意才能 merge:

GitHub Apps (前身 GitHub Integrations) 的 Rate Limiting 變得更彈性

GitHub 宣佈了把 GitHub Integrations 改名為 GitHub Apps,另外 Rate Limiting 變得更彈性:「GitHub Apps (formerly Integrations) General Release」。

All GitHub Apps start with a rate limit of 5000 requests per hour. To facilitate growth we have added a dynamic rate limit for installations: organization installations with more than 20 users receive another 50 requests per hour for each user. Installations that have more than 20 repositories receive another 50 requests per hour for each repository.

所以對於超過 20 個使用者以及超過 20 個 repository 的 organization 都會增加 Rate Limiting。每個單位增加 50 requests/hour 不算太多,不過想一下好像也不少... (尤其對大一點的團體來說)

GitHub 的整合性平台

GitHub 宣佈了 Marketplace,一個將各種外部 plugin 資訊整合起來的平台,讓開發者更容易尋找有哪些工具可以幫助開發:「Introducing GitHub Marketplace and more tools to customize your workflow」。

GitHub Marketplace is a new way to discover and purchase tools that extend your workflow. Find apps to use across your development process, from continuous integration to project management and code review.

可以看到目前分成五大類:

  • Code quality
  • Code review
  • Continuous integration
  • Monitoring
  • Project management

不過看了一下,目前上 Marketplace 的還有點少,不知道是不是對於要上架的公司有另外收費...

AWS CodeCommit 總算支援東京區了...

AWS CodeCommit 宣佈支援東京、新加坡、雪梨、法蘭克福四個區域了:「AWS CodeCommit is Now Available in Asia Pacific (Tokyo), Asia Pacific (Singapore), Asia Pacific (Sydney), and EU (Frankfurt) Regions」。

AWS CodeCommit 算是純 Git Hosting 的服務,但可以很容易跟 Lambda 之類的東西整合,所以要串其他的服務也不難。之前一直沒用主要還是會抱怨他的 latency...

比較特別的地方是 SSH username 的地方需要用他產生出來的 name,需要在 ~/.ssh/config 裡面設定,會比較麻煩一些,其他的到是還好。

然後由於 SSH 是採用 Trust on first use 的概念,不像是透過 PKI 稽核架構有 Root CA,所以 AWS 有提供每個區域 CodeCommit 的 SSH Fingerprint,包括了 MD5 與 SHA256 的值:「Setup Steps for SSH Connections to AWS CodeCommit Repositories on Linux, macOS, or Unix」。

前五個 active user 提供這樣的量,對於個人應該是夠用:

Unlimited repositories
50 GB-month of storage
10,000 Git requests/month

而超量的部份收費應該也還好:

$0.06 per GB-month
$0.001 per Git request

是可以考慮把一些 Private Repository 從 GitHub 上搬出來了... (當初買 GitHub 是因為他的穩定度比 Bitbucket 以及 GitLab.com 都好不少)

Google 與 CWI Amsterdam 合作,找到 SHA-1 第一個 collision

GoogleCWI Amsterdam 正式攻陷 SHA-1:「Announcing the first SHA1 collision」,然後也沒什麼意外的,現在大家都喜歡針對各種安全問題註冊一個 domain 來介紹:「SHAttered」。

shattered-1.pdfshattered-2.pdf 下載下來確認,可以看出來兩個不一樣的檔案有同樣的 SHA-1 value:

gslin@home [/tmp] [21:33/W4] sha1sum *.pdf
38762cf7f55934b34d179ae6a4c80cadccbb7f0a  shattered-1.pdf
38762cf7f55934b34d179ae6a4c80cadccbb7f0a  shattered-2.pdf

gslin@home [/tmp] [21:33/W4] sha256sum *.pdf
2bb787a73e37352f92383abe7e2902936d1059ad9f1ba6daaa9c1e58ee6970d0  shattered-1.pdf
d4488775d29bdef7993367d541064dbdda50d383f89f0aa13a6ff2e0894ba5ff  shattered-2.pdf

直接拿 pdf 來打,表達的是「一次到位」以及「既然可以攻擊 pdf,那麼其他東西當然也有可能」...

攻擊計算量的部份,這次攻擊使用的資源其實不算少,但對於大公司與大單位已經不是問題了,猜這次 Google 應該是贊助不少雲端設施:

  • 6,500 years of CPU computation to complete the attack first phase
  • 110 years of GPU computation to complete the second phase

這衍生出另外一個頭比較大的問題是 Git 目前使用的 SHA1:

GIT strongly relies on SHA-1 for the identification and integrity checking of all file objects and commits. It is essentially possible to create two GIT repositories with the same head commit hash and different contents, say a benign source code and a backdoored one. An attacker could potentially selectively serve either repository to targeted users. This will require attackers to compute their own collision.

這下得來看 Git 核心團隊要怎麼從 SHA-1 migrate 到其他 hash function 了...

Archives