Page MenuHomePureOS Tracker
Create Task
Maniphest T1055

issue tracker contains source code tracker
Closed, ResolvedPublic
Actions

Description

PureOS issue tracker at tracker.pureos.net is just one component (Maniphest) of a larger framework (Phabricator) which also includes a source code tracker (Diffusion).

We apparently used Diffusion but it was last changed 5 years ago and I suspect it was only ever used experiemntally.

Please let's...

  1. remove all repos currently in Diffusion - moving them elsewhere as needed, or otherwise simply dropping them
  2. hide Diffusion from normal use, if possible
  3. remove the Diffusion module altogether from our instance of Phabricator, if possible

There are multiple benefits of such cleanup:

  • Clarity - search interface provides confusing code results
  • Security - limiting the attack surface for a public-facing web-app written in arguably generally worrisome PHP
  • Efficiency - Phabricator is often axhausted on normal use, which might be helped with lesser data and (if possible) lesser code

Event Timeline

jonas.smedegaard triaged this task as Normal priority.May 31 2021, 02:05
jonas.smedegaard created this task.
jonas.smedegaard added a comment.May 31 2021, 02:49

I have now disabled these repos which are empty:

  • gnome-pureos2.1
  • purebrowser
jonas.smedegaard added a comment.May 31 2021, 02:53

I have now disabled repo keysafe: It has moved to https://git.joeyh.name/git/keysafe.git/ as officially announced at https://joeyh.name/code/keysafe/
I verified that the latest commit here is contained in the newer git repo.

jonas.smedegaard added a comment.May 31 2021, 03:03

I have now disabled repo pureos-archive-keyring: It has apparently moved to https://source.puri.sm/pureos/core/pureos-archive-keyring
I verified that the latest commit here is contained in the newer git repo.

jonas.smedegaard added a comment.May 31 2021, 03:13

I have now disabled repo pdak: It has apparently moved to https://source.puri.sm/pureos/infra/pdak
I verified that the latest commit here is contained in the newer git repo.

jonas.smedegaard added a comment.May 31 2021, 03:16

I have now disabled repo laniakea: It has apparently moved to https://source.puri.sm/pureos/infra/laniakea
I verified that the latest commit here is contained in the newer git repo.

jonas.smedegaard added a comment.May 31 2021, 03:30

There should currently be no git repos publicly accessible as part of our Phabricator instance at tracker.pureos.net.
(I say "should" because I distrust both PHP and my own ability to reliably web-navigate the many of options of Phabricator)

It seems the Diffusion module can be completely removed at https://tracker.pureos.net/applications/view/PhabricatorDifferentialApplication/
I am unaware which side-effects that change has.
Thing I can imagine are...:

  • Maybe it purges all git repos currently tracked but disabled (that would be ok as I see it, but others might disagree)
  • Maybe it does _not_ purge but looses track fo those repos making it impossible to reliably free that data without doing a full reinstall of Phabricator
  • Maybe it fails to reliably cleanup some daemons - notably an ssh access to git repos seemingly setup on port 2222

@jeremiah.foster Do you agree that we should not use tracker.pureos.net for code development (git repo hosting and git commit approval)?
If so, please confirm, and either hit that button or request the sysadmin team to take it from here...

jeremiah.foster added a comment.Jun 2 2021, 08:08

I've uninstalled diffusion. Apparently this is sufficient to remove it from the various menus and it says "uninstalled" here: https://tracker.pureos.net/applications/view/PhabricatorDifferentialApplication/

jeremiah.foster added a comment.Jun 2 2021, 08:09

We should not use this tool (Phabricator) to host source code.

jeremiah.foster closed this task as Resolved.Jun 2 2021, 08:09