x/website: talks.godoc.org's present server still relies on defunct RawGit service #46469
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
website
Milestone
Comments
seankhliao
added
the
NeedsInvestigation
|
maybe the rewrite could just be removed since github now serves svgs with |
|
Is there anything I can do to help? Could I submit a patch somewhere (if not on the |
|
No progress in a year and a half on this. I'd like to renew my offer to help, if I can. |
|
The problem persists to this day, and Edit (2023/03/07): |
|
I tried fixing a documentation link in #36692 and, in the end, no one merged it. 🤷 |
|
Is there any update on this? I just started receiving 403s for all content I have been trying to access because of this? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
One can (and the likes of Dave Cheney do) point
talks.godoc.orgto one'spresentslideshow hosted on GitHub. The slideshow then runs on the server, which obviates the need for installing and running thepresentcommand on one's local machine. For instance, see https://talks.godoc.org/github.com/jub0bs/poc_present/main.slide.However, I noticed that SVG assets hosted
raw.githubusercontent.comsee their URL's host rewritten torawgithub.com. https://rawgithub.com permanently redirects to https://rawgit.com, which states that the RawGit project is reaching the end of its life:(my emphasis)
As a result of this URL rewrite and the RawGit project's status, such SVG assets fail to load (with a
403response status) inpresentslides run ontalks.godoc.org; for instance, see https://talks.godoc.org/github.com/jub0bs/poc_present/main.slide#2:Note: a WHOIS lookup confirms that
godoc.orgis owned by Google;talks.godoc.orgis maintained by @dmitshur.I tracked down the offending URL rewrite to the
golang/gddoproject, but that project is marked as archived and no longer accepts issues or pull requests. I privately reached out to @julieqiu for guidance on Gophers Slack, who suggested I open an issue about this here.Relying on RawGit despite its sunset status may have security implications: when RawGit becomes truly defunct, its domain names may be acquired by a malevolent actor who could serve arbitrary SVGs in place of the slideshow's authors'. I've privately reached out to Ryan Grove (RawGit's author) on Twitter, who indicated he has no plans to let domain names
rawgithub.comandrawgit.comlapse any time soon, but his plans may change, especially if the cost of ownership becomes prohibitive.Moreover, the ability to run a slideshow on https://talks.godoc.org is valuable to the community, and isn't yet (AFAIK) supported on https://pkg.go.dev. Fixing this issue (by no longer relying on RawGit) would be a good thing.
The text was updated successfully, but these errors were encountered: