Use HTTPS on download site

[drognisep]

I checked what seems to be the official download site and wiki (http://www.makehumancommunity.org/content/downloads.html) and it doesn't seems to support HTTPS. Since certificates can be obtained for free these days. It doesn't make much sense to put your users at risk by allowing potential MITM attacks. To get around this risk I wanted to run it from source, so I started following the directions for that and found that getting assets makes many different git remote requests. Since I use public key auth with a password, it needs the pass phrase for every single asset. I know how to add another key which isn't password protected to avoid the latter problem, but this is a really lackluster first impression for a security minded user. Maybe someone would be interested in fixing this? I'm sure there's a more efficient way to get assets than reaching out over the web for each one individually with git. Since Github has some CI plugins available, this could be bundled together to be later downloaded and extracted into the desired directory instead of using the current approach.

[joepal1976]

As has been discussed again and again on the forums, the problem isn't getting a free certificate. The problem is the ancient site infrastructure where a routing loop occurs when we try to use a reverse proxy with a different protocol than the inwards facing one for the version of mediawiki we have.

We haven't build a specific git implementation. We simply use the available git shell command for getting assets, a command that we call once.

If there is a problem with how the LFS functionality of git works (as might be indicated by for example this https://github.com/git-lfs/git-lfs/issues/4028 and this https://github.com/git-lfs/git-lfs/issues/858), then that's a bug with the version of git that you use and then there is not a whole lot that we can do about it. Looking at the latter bug report, it seems to indicate that if you use git lfs 2.3.0 or later and configure lfs.cachecredentials, it should solve the problem.

[drognisep]

@joepal1976. I'm not trying to put words in your mouth, and correct me if I'm wrong, but it seems that you're prioritizing "ancient site infrastructure" over secure content. I don't think that's the stance you want to be taking, especially since this has come up "again and again". I've never seen this repo or the forum before today, I just want to download and use the neat thing you've put together. So my frame of reference is a completely new user that sees clear impediments to using your stuff. Maybe it's time to shift priorities?

On the git LFS bit, maybe there's a check or minimum version that could be added to the Readme to let me know? I probably could have caught this if I knew it was something to look out for. To clarify, of course I'm not asking you to "fix" git, that's not under your control. Just relaying my experience trying to get started here. :)

[joepal1976]

We're a small team of volunteers. We have a very limited amount of time to spend aside full time jobs.

The site infrastructure consists of several parallel systems which we have tied together and adapted over the span of more than a decade. Replacing this with something modern would take man-months of effective work, since there is no single off-the-shelf product that could solve our needs.

We have not started this work because spending that time on upgrading server infrastructure would mean not spending it on developing makehuman functionality.

Sure, it would be desirable have a modernized ifrastructure. But if you ask the wider audience, I would assume most people are more interested in getting functionality in the software rather than in an upgraded infrastructure. And as things stand now, we don't have the resources do both.

[drognisep]

Sure, it would be desirable have a modernized ifrastructure. But if you ask the wider audience, I would assume most people are more interested in getting functionality in the software rather than in an upgraded infrastructure.

That's probably true until someone gets hacked, assuming no one has already. Sorry about your situation, bud. I hope you get it worked out soon.