Will GitHub Protocol Changes Affect EndeavourOS Repo?

The following article was put out last year, so I’m sure for some this is not necessarily new news, but rather some of the GitHub changes that take affect today. According to a GitHub article posted back on 09.2021 here:

https://github.blog/2021-09-01-improving-git-protocol-security-github/

By March 15, 2022. Changes will be made permanent.

We’ll permanently stop accepting DSA keys. RSA keys uploaded after the cut-off point above will work only with SHA-2 signatures (but again, RSA keys uploaded before this date will continue to work with SHA-1). The deprecated MACs, ciphers, and unencrypted Git protocol will be permanently disabled.

Only users connecting via SSH or git:// are affected.

That change is now today, which got me wondering. Now I’ll be honest, this is a bit over my head, but out of curiosity, I just want to ask, is the PKGBUILDS in the EndeavourOS all unaffected or do any/some of the PKGBUILDS need to be tweaked for this?

I’m looking over some of the EndeavourOS PKGBUILDS here right now:

https://github.com/endeavouros-team/PKGBUILDS

And I’m no GitHub expert by any means, but from what I can gather is that these PKGBUILDS (I haven’t looked at all of them, fyi), look to be using https so I want to say EndeavourOS is unaffected by this? I’m just looking for some clarification, not worried about anything really, just more out of curiosity more than anything as I know the GitHub changes are meant to strengthen security protocols. Thanks for reading my post and I appreciate any replies and comments to help me understand this better.

No, this about authentication with keys. You shoudn’t need to authenticate to build a package.

If I am reading it correctly, the only potential impact would be if an EOS developer had old weak ciphers in their keys. Even if that was the case, it would be a fairly minor issue to replace them with with new keys and shouldn’t impact the general running of EndeavourOS.

How would you know which, if any, keys that need to be updated I wonder? Also, thanks for clarifying that a bit for me.

Anyone who has such keys should know if they meet the updated requirements. In the event they didn’t, they would figure it out as soon as they tried to use them.

Ahhh okay, thanks for clearing that up!

@dalto

Looks like the rules are in affect this morning. I got my first AUR GIT download rejection. So I have filed a bug for the maintainer of the package.

Example of the Error:

:: (1/1) Parsing SRCINFO: gnome-shell-extension-nordvpn-connect-git
==> Making package: gnome-shell-extension-nordvpn-connect-git r194.a4cfe2c-1 (Sun 08 May 2022 11:14:42 AM)
==> Retrieving sources...
  -> Cloning NordVPN-connect git repo...
Cloning into bare repository '/home/user/.cache/yay/gnome-shell-extension-nordvpn-connect-git/NordVPN-connect'...
fatal: remote error:
  The unauthenticated git protocol on port 9418 is no longer supported.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.
==> ERROR: Failure while downloading NordVPN-connect git repo
    Aborting...
 -> error downloading sources: gnome-shell-extension-nordvpn-connect-git
         context: exit status 1

It looks like he is using a git url for unauthenticated access in the PKGBUILD.

If you change the source line to git+https://github.com/AlexPoilrouge/NordVPN-connect.git it will probably work.

Thanks Dalto. I’m just going through the Arch Wiki to learn how to edit a package prior to installing it (never done that before).

So I can view the diff and I saw this (which I assume means the package is using the right URL. But ofcourse I am guessing so I might be wrong:

No, the source needs to be changed to git+https://github.com/AlexPoilrouge/NordVPN-connect.git. In your screenshot it is git://github.com/AlexPoilrouge/NordVPN-connect.git

Thank Dalto. Looks like the build is now working. Pretty much I was able to edit the package with the following command:

 yay -S --editmenu  gnome-shell-extension-nordvpn-connect-git

So good little lesson for me (as normally I just report the bugs like a good QA :).