pkg/58323: pkgsrc-wip lacks server-authenticated, client-anonymous access method

[campbell+netbsd%mumble.net@localhost]

>Number:         58323
>Category:       pkg
>Synopsis:       pkgsrc-wip lacks server-authenticated, client-anonymous access method
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jun 08 17:00:00 +0000 2024
>Originator:     Taylor R Campbell
>Release:        
>Organization:
The pkgsrc wipation
>Environment:
>Description:
According to https://pkgsrc.org/wip/, you can get wip either via:

- git clone git://wip.pkgsrc.org/pkgsrc-wip.git wip, for anonymous clients, which doesn't authenticate the server, so exposes people to MITM attacks on the network; or

- signing up to contribute and then git clone username%wip.pkgsrc.org@localhost:/pkgsrc-wip.git wip, which does authenticate the server, but requires users to identify themselves to the server first.

There is also a browsable gitweb instance at https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=summary but I don't see a way to git clone out of it.

pkgsrc-wip should also be available via https, so that anyone can get wip without identifying themselves up front to set up an account.
>How-To-Repeat:
try to use pkgsrc-wip without an account
>Fix:
1. Configure the httpd to run git-http-backend out of /pkgsrc-wip.git (may require teaching bozohttpd about chunked input, or may require running nginx or apache2 or something instead to handle that).

2. Alternatively: expose an anonymous ssh method, like we do for anoncvs (may require some more engineering work to do this safely).