ubuntu-cve-tracker git https error

Asked by Chris Scott on 2021-04-22


Sorry if this is the wrong place to report/ask, but the search didn't return anything for where this project is tracked.

For the past couple of days I've been getting this error with this project repo:

$ git clone https://git.launchpad.net/ubuntu-cve-tracker/
Cloning into 'ubuntu-cve-tracker'...
fatal: unable to access 'https://git.launchpad.net/ubuntu-cve-tracker/': The requested URL returned error: 503

Checking another project repo selected at random to compare is working fine:

$ git clone https://git.launchpad.net/libnhttp
Cloning into 'libnhttp'...
remote: Enumerating objects: 1301, done.
remote: Counting objects: 100% (1301/1301), done.
remote: Compressing objects: 100% (294/294), done.
remote: Total 1301 (delta 1029), reused 1253 (delta 1003)
Receiving objects: 100% (1301/1301), 970.70 KiB | 3.62 MiB/s, done.
Resolving deltas: 100% (1029/1029), done.

Thanks in advance for advice

Question information

English Edit question
Launchpad itself Edit question
No assignee Edit question
Solved by:
Colin Watson
Last query:
Last reply:
Best Colin Watson (cjwatson) said : #1

The ubuntu-cve-tracker repository is heavily rate-limited because it's an enormous repository and the authors of some widely-deployed automated scanning tools have caused their tools to clone it, which effectively resulted in us being DDoSed.

If this is for a single clone for development purposes, then you can avoid the rate-limiting by using SSH (git+ssh://git.launchpad.net/...). However, if you're planning to put the git clone into a script somewhere that's going to be run a non-trivial number of times, then that will make the situation worse - if that's the case then please consider using OVAL data instead.

Thanks Colin!

Indeed we're users of a "widely-deployed automated scanning tool" embedded in a platform so I'll take this situation over to its authors for a better way forward.

Thanks Colin Watson, that solved my question.

Colin Watson (cjwatson) said : #4

Would you mind sharing what tool it is? We know about clair (https://github.com/quay/clair/issues/804) but there may be others.

It's clair. Thanks for that link. I've had a look and from what I can tell it's clair v2.1.6 used in our current running harbor v2.1.3 so I guess it didn't yet have the git repo fix. We'll probably have to update harbor to as recent a version as we can to make sure to get it.