As discussed on irc with robbat2 we need git daemon support on egret. Currently we handle it through http but repositories break way too often because no commit verification can be done on the server side.
jokey: you missed something that I said. git-daemon is ONLY for read-only checkouts. It does NOT provide commit support at all. Commits really should be done via the Git-SSH protocol.
okay, then we need to change infra's policy for egret
(In reply to comment #2) > okay, then we need to change infra's policy for egret > you have to be much more specific.
When the overlays project was started, infra's point is that only 3 admins get ssh access to it and not $random_dev and $random_user. So for git repos we need to tweak this then...
Ok, I was talking with Solar on this, regarding security implications. 1. For read-only (eg general public), We'll be running git-daemon. It's vastly more efficient than the HTTP methods. 2. For read-write users, we will be allowing SSH on a trial basis as follows. - Will be using RBAC/grsec lockdown stuff from solar. - Users will be created in LDAP at ou=overlayusers,dc=gentoo,dc=org, to prevent any existing boxes using them for authentication. - The password field will be LOCKED (classical ! will be used). - uidNumber will start at 30001 for these users. - shell will be set to /usr/bin/git-shell (review the very short source here: http://tinyurl.com/2ttf5z) - The only gentooAccess LDAP attribute will be overlays-git.group. No other gentooAccess attributes will be permitted for overlay-specific users. - Users must provide valid email/cn/sn/gpgkey for their LDAP entries. - LDAP attribute shadowExpire will be set to +3? months on a regular basis (Maybe need some other way of regularly detecting stale users for expiring).
Friendly monthly ping
(In reply to comment #6) > Friendly monthly ping Guess that makes it about time for another, since that was July 2.
Okay, it's not that I dislike admin work but I have to reinstate some git overlays today, as they broke on push via http again. So some days ago on IRC, robbat2 said he wants ACLs so people would be unable to reset the overlays. From today's point of view, I'd say, let's implement them now as-is, we can apply that ACL stuff later on.
(In reply to comment #8) > Okay, it's not that I dislike admin work but I have to reinstate some git > overlays today, as they broke on push via http again. FWIW, I am sort of hoping the recent update to git 1.5 on the server side will magically fix this, since previously I was on 1.5 locally pushing to 1.4 on the server.
In #git, I was just pointed at a possible alternative that would be a major improvement to the current http setup, using a single SSH account: http://eagain.net/gitweb/?p=gitosis.git;a=blob;f=README.rst 1 ========================================================== 2 ``gitosis`` -- software for hosting ``git`` repositories 3 ========================================================== 4 5 Manage ``git`` repositories, provide access to them over SSH, 6 with tight access control and not needing shell accounts. 7 8 .. note:: 9 10 Documentation is still lacking, and non-default configurations 11 (e.g. config file, repositories, installing in a location that 12 is not in ``PATH``) basically have not been tested at all. 13 Basic usage should be very reliable -- the project has been 14 hosting itself for a long time. Any help is welcome. 15 16 ``gitosis`` aims to make hosting ``git`` repos easier and safer. It 17 manages multiple repositories under one user account, using SSH keys 18 to identify users. End users do not need shell accounts on the server, 19 they will talk to one shared account that will not let them run 20 arbitrary commands.
There's a good tutorial on gitosis here: http://scie.nti.st/2007/11/14/hosting-git-repositories-the-easy-and-secure-way
A heavily-modified gitosis is implemented on the new overlays test box. The existing Git overlay users have gotten an email about testing it. git-daemon for readonly is not enabled until they have finished testing. We will move the git overlays first, followed by SVN and Trac.
gitosis is live on git.overlays.gentoo.org
