git-over-gnunet

No description

Shell 100%

Find a file

Amélia Coutard-Sander 4047a653ca Better, slightly more general client		2026-05-14 11:52:18 +02:00
git-remote-gnunet	Better, slightly more general client	2026-05-14 11:52:18 +02:00
handle-request.sh	Extensible protocol. Counts as a v1.0.0 methinks !	2026-05-14 11:52:18 +02:00
README.txt	Extensible protocol. Counts as a v1.0.0 methinks !	2026-05-14 11:52:18 +02:00

README.txt

This set of bash scripts allows one to use remote git repositories via gnunet, specifically the GNS, GNUnet VPN, and gnunet-identity.
In the interest of demonstrating that it works, all the repos on my server are available at
	`gnunet://git.serv.amelia.gnunet.gns.alt/<repo>.git` (see gitweb for the specific URIs).
	Try cloning them ! (And do tell me if it fails, or if it works.)

Usage:
Client:
	You must add the repo folder to the GIT_EXEC_PATH (for example by prepending
		`GIT_EXEC_PATH=$GIT_EXEC_PATH:/path/to/git/over/gnunet/repo` before every git command that uses remotes).
	The URL to give to git is `gnunet://[gnunet-identity@]gns.location.of.the.repo[/path/to/the/repo]`.
Server:
	- To serve repos, you have to setup a gnunet-vpn exit service.
	  ```
	  [exit]
	  IMMEDIATE_START = YES
	  EXIT_IFNAME = %
	  [<gns-name>.gnunet.]
	  TCP_REDIRECTS = 9418:169.254.86.1:9418
	  ```
	- You should also add a gns VPN record containing the required information to connect to the exit service.
	  `gnunet-namestore -a -t VPN -e 1d -n <gns-name> -V '1 <peer-id> <gns-name>' -z <ego> -p`
	- Next, you need to run the daemon: it needs to run `handle-request.sh` in the parent folder of all the repos every time someone connects to it.
	  For example, with socat: `socat tcp4-listen:9418,bind=169.254.86.1,fork  exec:'/path/to/handle-request.sh /path/to/repos /path/to/list/of/pkeys'`
	- This will open the repos for pulling on the url `gnunet://[gnunet-identity@]gns-name.public-key[/path/to/the/repo]`.
	- Additionally, any owner of a public key listed in /path/to/list/of/pkeys (each line should be a pkey on its own) will be allowed push access
		(by specifying the corresponding identity before the @).

Features:
	- Clone repo !
	- Fetch repo !
	- Pull repo !
	- Authenticated push to repo !

TODO:
	- Pulling from anyone, using a commit hash ?
		- DHT to figure out who has what commits ?
		- Question of trust for pulling from peers ?

How it works:
Client:
	- Uses a git remote helper to give git the ability to interpet the gnunet:// scheme.
	- Gets the VPN record associated with the GNS name given in the scheme.
	- Connects to the exit service, give it the name of the repo and the command required
		(e.g. `git-upload-pack`) (and the public key if an identity was specified).
Server:
	- Reads the path and the command.
	- Checks that the the path isn't malicious.
	- Checks that the command is git-upload-pack, or that the client is authenticated and the command is git-receive-pack.
	- Executes the command and connects it to the client.
Authentication (also done when pulling):
	- The server receives the public key.
	- It checks the key is allowed.
	- It sends a randomly-generated passphrase to the client, encrypted to the public key.
	- The client decyphers and hashes the passphrase, and sends the hash back.
		- This avoids the request by a malicious server of decyphering of arbitrary strings.
	- The server checks the correctness of the hash.
	PS: The authentication protocol should be extensible in a backwards-compatible way, should there be a need.