Re: Git Repository for WITH RECURSIVE and others - Mailing list pgsql-hackers

On Mon, Jun 30, 2008 at 01:50:26PM +0200, Magnus Hagander wrote:
> David Fetter wrote:
[gitosis]
> > It *would* be good, if the author seemed even vaguely interested
> > in packaging up so much as a tarball, but he is not.  His attitude
> > is (paraphrasing from conversations with him the past few days),
> > "it's good enough as a git repository, and everybody who's using
> > it is a git administrator, so they should know how to wrangle git
> > repositories." While he may someday outgrow this, we really should
> > not put him and his attitude in critical paths for our project.
> > 
> > Let's go with git-shell, which is supported and packaged software
> > on just about every platform, and stop waiting for Godot^Wgitosis.
> 
> I'm not sure I agree that this is a big problem, but sure, we should
> at least consider git-shell.

Please explain your reasoning here.  The project has taken nasty hits
on its infrastructure already (pgfoundry) because the author of the
software had a go-it-alone, I-know-best attitude that sooner than
later forced us to fork.  As a direct consequence, pgfoundry now needs
a redo that will take a pgfoundry administrator many of work in their
"ample spare time."

Let's not cause more pinch points here.

> Is there any product out there that makes it possible to admin a
> git-shell based system without having all the admins being root on
> the server?  Because that's simply not an option if you want
> anything remotely scalable.

I don't know what you mean by "remotely scalable," but it's clearly
not the same definition I have.  A sudo wrapper which only allows
creation, editing and deletion of accounts restricted to git-shell
will scale just fine.

> > Here's an even simpler implementation: git-ssh and public keys.  Yes,
> > it involves work by administrators, which I'd be delighted to do.
> 
> Are you referring to git-shell, or is this a different product? If so,
> reference to said product, please?

Same.

> I certainly don't mind having the work pushed off to an admin team.
> But it has to be automated enough that there is no risk that
> different people set it up differently.

OK

> And it must not require root.

This is what sudo is built to do :)

> Show me such a solution, and I'll be happy to consider it :-)

1. Create a (set of) program(s) which does exactly the following things:
   * Create an account with git-ssh as its shell.   * Manipulate the contact information, ssh keys and groups of said
account.  * Delete the account.
 

2. Create a unix group and corresponding sudo role that accesses the above.

3. Create shell accounts as needed with the above group.  Yes, that's
a root-only task, but it's a short one.

I believe that the above takes care of 90% or more of tasks.  If it
turns out that we need to automate more, we can add that
(semi)automation to the capabilities above :)

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate