Thread: Git Repository for WITH RECURSIVE and others

Folks,

With lots of help from Greg Sabino Mullane, I've set up a git
repository for the WITH RECURSIVE patches on
<http://git.postgresql.org/>.

What other patches would people like to try maintaining this way until
commitfest?

It looks like gitosis is a good way to grant write access to git
repositories, but it's not yet packaged for FreeBSD.  Any ideas about
how to handle this?

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

David Fetter wrote:
> Folks,
> 
> With lots of help from Greg Sabino Mullane, I've set up a git
> repository for the WITH RECURSIVE patches on
> <http://git.postgresql.org/>.
> 
> What other patches would people like to try maintaining this way until
> commitfest?
> 
> It looks like gitosis is a good way to grant write access to git
> repositories, but it's not yet packaged for FreeBSD.  Any ideas about
> how to handle this?

Isn't the whole point of git not to require write access? If you want
centralized developement, then Subversion/CVS can do the job quite well.

Unless I'm completely wrong on this :-)

Cheers
Tino

On Tue, Jun 24, 2008 at 07:09:41AM +0200, Tino Wildenhain wrote:
> David Fetter wrote:
>> Folks,
>>
>> With lots of help from Greg Sabino Mullane, I've set up a git
>> repository for the WITH RECURSIVE patches on
>> <http://git.postgresql.org/>.
>>
>> What other patches would people like to try maintaining this way
>> until commitfest?
>>
>> It looks like gitosis is a good way to grant write access to git
>> repositories, but it's not yet packaged for FreeBSD.  Any ideas
>> about how to handle this?
>
> Isn't the whole point of git not to require write access?

Write access is handy for keeping the bit-rot off the patch, and git's
branching and merging capability--I just rebased, for example--are
top-notch.

> If you want centralized developement, then Subversion/CVS can do the
> job quite well.
>
> Unless I'm completely wrong on this :-)

Or I could be :)

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

Hi,

From: David Fetter <david@fetter.org>
Subject: [HACKERS] Git Repository for WITH RECURSIVE and others
Date: Mon, 23 Jun 2008 21:38:11 -0700

> With lots of help from Greg Sabino Mullane, I've set up a git
> repository for the WITH RECURSIVE patches on
> <http://git.postgresql.org/>.

Thank you very much.

I tried git-clone, but I could not access the repository.
 % git-clone git://git.postgresql.org/git/~davidfetter/postgresql/.git Initialized empty Git repository in
/home/y-asaba/x/postgresql/.git/fatal: The remote end hung up unexpectedly fetch-pack from
'git://git.postgresql.org/git/~davidfetter/postgresql/.git'failed.
 

Regards,
--
Yoshiyuki Asaba
y-asaba@sraoss.co.jp

David Fetter wrote:
> Folks,
> 
> With lots of help from Greg Sabino Mullane, I've set up a git
> repository for the WITH RECURSIVE patches on
> <http://git.postgresql.org/>.
> 
> What other patches would people like to try maintaining this way until
> commitfest?
> 
> It looks like gitosis is a good way to grant write access to git
> repositories, but it's not yet packaged for FreeBSD.  Any ideas about
> how to handle this?

As you were answered the last time you asked about it, people are
already working on this. Unfortunately, the requirements have also been
raised a bit (such as allowing a user to delegate access to another
user) which means it will take longer.

Now, if you can give us a step-by-step on how to set it up, that would
certainly help ;-)

//Magnus

On Tue, Jun 24, 2008 at 03:26:36PM +0900, Yoshiyuki Asaba wrote:
> Hi,
> 
> From: David Fetter <david@fetter.org>
> Subject: [HACKERS] Git Repository for WITH RECURSIVE and others
> Date: Mon, 23 Jun 2008 21:38:11 -0700
> 
> > With lots of help from Greg Sabino Mullane, I've set up a git
> > repository for the WITH RECURSIVE patches on
> > <http://git.postgresql.org/>.
> 
> Thank you very much.
> 
> I tried git-clone, but I could not access the repository.
> 
>   % git-clone git://git.postgresql.org/git/~davidfetter/postgresql/.git
>   Initialized empty Git repository in /home/y-asaba/x/postgresql/.git/
>   fatal: The remote end hung up unexpectedly
>   fetch-pack from 'git://git.postgresql.org/git/~davidfetter/postgresql/.git' failed.

I ran git-update-server-info on the server, and it should work now. :)

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

On Tue, Jun 24, 2008 at 09:52:22AM +0200, Magnus Hagander wrote:
> David Fetter wrote:
> > Folks,
> > 
> > With lots of help from Greg Sabino Mullane, I've set up a git
> > repository for the WITH RECURSIVE patches on
> > <http://git.postgresql.org/>.
> > 
> > What other patches would people like to try maintaining this way
> > until commitfest?
> > 
> > It looks like gitosis is a good way to grant write access to git
> > repositories, but it's not yet packaged for FreeBSD.  Any ideas
> > about how to handle this?
> 
> As you were answered the last time you asked about it, people are
> already working on this.

Which people, and what are they doing?  The silence here has been
deafening.

> Unfortunately, the requirements have also been raised a bit (such as
> allowing a user to delegate access to another user)

Who raised those requirements, and where did that discussion take
place?  I don't recall any decision to do any of this by star chamber
and secret cabal, and frankly, moving the goalposts on this is a great
way to have it never actually happen.  Is that your intention?

> which means it will take longer.
> 
> Now, if you can give us a step-by-step on how to set it up, that
> would certainly help ;-)

Gitosis does not, as far as I can tell, have that delegation
capability, but I've come up with a way to do this:

1.  Use git-shell.  Yes, this does involve creating one shell account
for each project, but git-shell is, by design, very short on
exploitable capability.

2.  Make the .ssh directory a git repository.

3.  Edit .ssh/authorized_keys and push via git.

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

David Fetter wrote:
> On Tue, Jun 24, 2008 at 09:52:22AM +0200, Magnus Hagander wrote:
>> David Fetter wrote:
>>> Folks,
>>>
>>> With lots of help from Greg Sabino Mullane, I've set up a git
>>> repository for the WITH RECURSIVE patches on
>>> <http://git.postgresql.org/>.
>>>
>>> What other patches would people like to try maintaining this way
>>> until commitfest?
>>>
>>> It looks like gitosis is a good way to grant write access to git
>>> repositories, but it's not yet packaged for FreeBSD.  Any ideas
>>> about how to handle this?
>> As you were answered the last time you asked about it, people are
>> already working on this.
> 
> Which people, and what are they doing?  The silence here has been
> deafening.

Peter is in charge of the GIT repository, and I've offered to make the
changes once we've agreed exactly on what should be done.


>> Unfortunately, the requirements have also been raised a bit (such as
>> allowing a user to delegate access to another user)
> 
> Who raised those requirements, and where did that discussion take
> place? 

Peter did.


> I don't recall any decision to do any of this by star chamber
> and secret cabal, and frankly, moving the goalposts on this is a great
> way to have it never actually happen.  Is that your intention?

Not mine :-) My suggestion is to fix what we have now, and then add more
stuff later.


>> which means it will take longer.
>>
>> Now, if you can give us a step-by-step on how to set it up, that
>> would certainly help ;-)
> 
> Gitosis does not, as far as I can tell, have that delegation
> capability, but I've come up with a way to do this:
> 
> 1.  Use git-shell.  Yes, this does involve creating one shell account
> for each project, but git-shell is, by design, very short on
> exploitable capability.
> 
> 2.  Make the .ssh directory a git repository.
> 
> 3.  Edit .ssh/authorized_keys and push via git.

I was looking into being able to do it using gitosis, with an interface
on top of it's existing GIT repository for being able to delegate this.
I think it can be done without modifying gitosis itself, by just writing
some simple frontend script on top of it. What do you think of this idea?

//Magnus

On Tue, 2008-06-24 at 07:55 -0700, David Fetter wrote:
> On Tue, Jun 24, 2008 at 09:52:22AM +0200, Magnus Hagander wrote:
> > David Fetter wrote:
> > > Folks,

> 
> > Unfortunately, the requirements have also been raised a bit (such as
> > allowing a user to delegate access to another user)
> 
> Who raised those requirements, and where did that discussion take
> place?  I don't recall any decision to do any of this by star chamber
> and secret cabal, and frankly, moving the goalposts on this is a great
> way to have it never actually happen.  Is that your intention?

You could take your complaints to an appropriate forum, which is not
hackers. Then you could take it up with the people that are actually in
charge of the repository. 

Lastly, you could also perhaps take the 10 seconds it takes to find this
page:

http://git.postgresql.org/static/serviceinfo.html

Where it tells you exactly how to participate. 


Joshua D. Drake

On Tue, Jun 24, 2008 at 09:21:27AM -0700, Joshua D. Drake wrote:
> On Tue, 2008-06-24 at 07:55 -0700, David Fetter wrote:
> > On Tue, Jun 24, 2008 at 09:52:22AM +0200, Magnus Hagander wrote:
> > > David Fetter wrote:
> > > > Folks,
> 
> > > Unfortunately, the requirements have also been raised a bit
> > > (such as allowing a user to delegate access to another user)
> > 
> > Who raised those requirements, and where did that discussion take
> > place?  I don't recall any decision to do any of this by star
> > chamber and secret cabal, and frankly, moving the goalposts on
> > this is a great way to have it never actually happen.  Is that
> > your intention?
> 
> You could take your complaints to an appropriate forum, which is not
> hackers.  Then you could take it up with the people that are
> actually in charge of the repository. 
> 
> Lastly, you could also perhaps take the 10 seconds it takes to find
> this page:
> 
> http://git.postgresql.org/static/serviceinfo.html
> 
> Where it tells you exactly how to participate. 

Yes, and since you brought that up, it appears that mail to
gitadmin@git.postgresql.org goes to /dev/null.  I specifically asked
for a couple of different things at that email, and have gotten 'tude
but no action.

As far as discussion goes, if there's a forum more appropriate than
-hackers, please feel free to specify exactly what that forum is and
explain why you believe that. :)

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

On Tue, 2008-06-24 at 09:27 -0700, David Fetter wrote:
> On Tue, Jun 24, 2008 at 09:21:27AM -0700, Joshua D. Drake wrote:
> > On Tue, 2008-06-24 at 07:55 -0700, David Fetter wrote:

> > Lastly, you could also perhaps take the 10 seconds it takes to find
> > this page:
> > 
> > http://git.postgresql.org/static/serviceinfo.html
> > 
> > Where it tells you exactly how to participate. 
> 
> Yes, and since you brought that up, it appears that mail to
> gitadmin@git.postgresql.org goes to /dev/null.  I specifically asked
> for a couple of different things at that email, and have gotten 'tude
> but no action.

Well I can appreciate that problem but its their project, if they are
unwilling to answer you... 

> 
> As far as discussion goes, if there's a forum more appropriate than
> -hackers, please feel free to specify exactly what that forum is and
> explain why you believe that. :)

Well I will grant that I don't know that there is a better forum because
we don't have a yourrepos@postgresql.org :) but I am pretty certain that
discussion of the Git repo administration doesn't have much to do with
-hackers.

Either way it would seem to me the place for this to happen would be
between yourself, Magnus and Peter. Once everything is done, put it on
wiki... and be done with it :)

Sincerely,

Joshua D. Drake

On Tue, Jun 24, 2008 at 05:27:38PM +0200, Magnus Hagander wrote:
> David Fetter wrote:
> > On Tue, Jun 24, 2008 at 09:52:22AM +0200, Magnus Hagander wrote:
> >> David Fetter wrote:
> >>> Folks,
> >>>
> >>> With lots of help from Greg Sabino Mullane, I've set up a git
> >>> repository for the WITH RECURSIVE patches on
> >>> <http://git.postgresql.org/>.
> >>>
> >>> What other patches would people like to try maintaining this way
> >>> until commitfest?
> >>>
> >>> It looks like gitosis is a good way to grant write access to git
> >>> repositories, but it's not yet packaged for FreeBSD.  Any ideas
> >>> about how to handle this?
> >> As you were answered the last time you asked about it, people are
> >> already working on this.
> > 
> > Which people, and what are they doing?  The silence here has been
> > deafening.
> 
> Peter is in charge of the GIT repository, and I've offered to make
> the changes once we've agreed exactly on what should be done.

I think it's time for a few more people--yes, I'm volunteering for the
work--to get the needed access for this :)

> >> Unfortunately, the requirements have also been raised a bit (such
> >> as allowing a user to delegate access to another user)
> > 
> > Who raised those requirements, and where did that discussion take
> > place? 
> 
> Peter did.

So, no public discussion anywhere, even though this is something that
the future development of Postgres is supposed to depend on.  That's
just great.

> > I don't recall any decision to do any of this by star chamber and
> > secret cabal, and frankly, moving the goalposts on this is a great
> > way to have it never actually happen.  Is that your intention?
> 
> Not mine :-)  My suggestion is to fix what we have now, and then add
> more stuff later.

Excellent!

> >> which means it will take longer.
> >>
> >> Now, if you can give us a step-by-step on how to set it up, that
> >> would certainly help ;-)
> > 
> > Gitosis does not, as far as I can tell, have that delegation
> > capability, but I've come up with a way to do this:
> > 
> > 1.  Use git-shell.  Yes, this does involve creating one shell account
> > for each project, but git-shell is, by design, very short on
> > exploitable capability.
> > 
> > 2.  Make the .ssh directory a git repository.
> > 
> > 3.  Edit .ssh/authorized_keys and push via git.
> 
> I was looking into being able to do it using gitosis, with an
> interface on top of it's existing GIT repository for being able to
> delegate this.

I discussed this with gitosis's author, and he wants to keep gitosis
from becoming "a sourceforge reimplementation."  He did, however,
commit to stamping it 1.0 and putting up a TODO list.  I'd like to
package it up for FreeBSD and Fedora, those being two common
platforms.

> I think it can be done without modifying gitosis itself, by just
> writing some simple frontend script on top of it.

Would the front-end script just modify gitosis.conf?  If so, it's got
to be pretty bullet-proof because it can step on access to all the git
repositories.

> What do you think of this idea?

It's complicated :(

Wouldn't it be easier to have a gitosis admin team with the needed
access?

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

> Well I will grant that I don't know that there is a better forum because 
> we don't have a yourrepos@postgresql.org :) but I am pretty certain that 
> discussion of the Git repo administration doesn't have much to do with 
> -hackers.

How about some generic list?  alt-repos@postgresql.org or something like 
that?

On Tue, Jun 24, 2008 at 02:58:38PM -0300, Marc G. Fournier wrote:
>> Well I will grant that I don't know that there is a better forum 
>> because we don't have a yourrepos@postgresql.org :) but I am pretty 
>> certain that discussion of the Git repo administration doesn't have 
>> much to do with -hackers.
>
> How about some generic list?  alt-repos@postgresql.org or something like  
> that?

For administration, definitely.  For hacking discussions, -hackers is
the appropriate place :)

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

David Fetter wrote:
> On Tue, Jun 24, 2008 at 05:27:38PM +0200, Magnus Hagander wrote:
>> David Fetter wrote:
>>> On Tue, Jun 24, 2008 at 09:52:22AM +0200, Magnus Hagander wrote:
>>>> David Fetter wrote:
>>>>> Folks,
>>>>>
>>>>> With lots of help from Greg Sabino Mullane, I've set up a git
>>>>> repository for the WITH RECURSIVE patches on
>>>>> <http://git.postgresql.org/>.
>>>>>
>>>>> What other patches would people like to try maintaining this way
>>>>> until commitfest?
>>>>>
>>>>> It looks like gitosis is a good way to grant write access to git
>>>>> repositories, but it's not yet packaged for FreeBSD.  Any ideas
>>>>> about how to handle this?
>>>> As you were answered the last time you asked about it, people are
>>>> already working on this.
>>> Which people, and what are they doing?  The silence here has been
>>> deafening.
>> Peter is in charge of the GIT repository, and I've offered to make
>> the changes once we've agreed exactly on what should be done.
> 
> I think it's time for a few more people--yes, I'm volunteering for the
> work--to get the needed access for this :)

Heh :)


>>>> Unfortunately, the requirements have also been raised a bit (such
>>>> as allowing a user to delegate access to another user)
>>> Who raised those requirements, and where did that discussion take
>>> place? 
>> Peter did.
> 
> So, no public discussion anywhere, even though this is something that
> the future development of Postgres is supposed to depend on.  That's
> just great.

I don't know about that part. My POC has been Peter, I don't know whom
else he has talked to before he told me. I may not have been clear about
that part, sorry.


>>>> which means it will take longer.
>>>>
>>>> Now, if you can give us a step-by-step on how to set it up, that
>>>> would certainly help ;-)
>>> Gitosis does not, as far as I can tell, have that delegation
>>> capability, but I've come up with a way to do this:
>>>
>>> 1.  Use git-shell.  Yes, this does involve creating one shell account
>>> for each project, but git-shell is, by design, very short on
>>> exploitable capability.
>>>
>>> 2.  Make the .ssh directory a git repository.
>>>
>>> 3.  Edit .ssh/authorized_keys and push via git.
>> I was looking into being able to do it using gitosis, with an
>> interface on top of it's existing GIT repository for being able to
>> delegate this.
> 
> I discussed this with gitosis's author, and he wants to keep gitosis
> from becoming "a sourceforge reimplementation."  He did, however,
> commit to stamping it 1.0 and putting up a TODO list.  I'd like to
> package it up for FreeBSD and Fedora, those being two common
> platforms.

That would be good.


>> I think it can be done without modifying gitosis itself, by just
>> writing some simple frontend script on top of it.
> 
> Would the front-end script just modify gitosis.conf?  If so, it's got
> to be pretty bullet-proof because it can step on access to all the git
> repositories.

Yes, that's what I thought.


>> What do you think of this idea?
> 
> It's complicated :(
> 
> Wouldn't it be easier to have a gitosis admin team with the needed
> access?

Yes, that'd probably be easier, and it's what I'd start the
implementation out at.

//Magnus

On Tue, Jun 24, 2008 at 10:27:28PM +0200, Magnus Hagander wrote:
> >>>> Now, if you can give us a step-by-step on how to set it up, that
> >>>> would certainly help ;-)
> >>> Gitosis does not, as far as I can tell, have that delegation
> >>> capability, but I've come up with a way to do this:
> >>>
> >>> 1.  Use git-shell.  Yes, this does involve creating one shell account
> >>> for each project, but git-shell is, by design, very short on
> >>> exploitable capability.
> >>>
> >>> 2.  Make the .ssh directory a git repository.
> >>>
> >>> 3.  Edit .ssh/authorized_keys and push via git.
> >> I was looking into being able to do it using gitosis, with an
> >> interface on top of it's existing GIT repository for being able
> >> to delegate this.
> > 
> > I discussed this with gitosis's author, and he wants to keep
> > gitosis from becoming "a sourceforge reimplementation."  He did,
> > however, commit to stamping it 1.0 and putting up a TODO list.
> > I'd like to package it up for FreeBSD and Fedora, those being two
> > common platforms.
> 
> That would be good.

It *would* be good, if the author seemed even vaguely interested in
packaging up so much as a tarball, but he is not.  His attitude
is (paraphrasing from conversations with him the past few days), "it's
good enough as a git repository, and everybody who's using it is a git
administrator, so they should know how to wrangle git repositories."
While he may someday outgrow this, we really should not put him and
his attitude in critical paths for our project.

Let's go with git-shell, which is supported and packaged software on
just about every platform, and stop waiting for Godot^Wgitosis.

> >> What do you think of this idea?
> > 
> > It's complicated :(
> > 
> > Wouldn't it be easier to have a gitosis admin team with the needed
> > access?
> 
> Yes, that'd probably be easier, and it's what I'd start the
> implementation out at.

Here's an even simpler implementation: git-ssh and public keys.  Yes,
it involves work by administrators, which I'd be delighted to do.

Cheers,
David (cutting a few Gordian knots here)
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

David Fetter wrote:
> On Tue, Jun 24, 2008 at 10:27:28PM +0200, Magnus Hagander wrote:
>>>>>> Now, if you can give us a step-by-step on how to set it up, that
>>>>>> would certainly help ;-)
>>>>> Gitosis does not, as far as I can tell, have that delegation
>>>>> capability, but I've come up with a way to do this:
>>>>>
>>>>> 1.  Use git-shell.  Yes, this does involve creating one shell account
>>>>> for each project, but git-shell is, by design, very short on
>>>>> exploitable capability.
>>>>>
>>>>> 2.  Make the .ssh directory a git repository.
>>>>>
>>>>> 3.  Edit .ssh/authorized_keys and push via git.
>>>> I was looking into being able to do it using gitosis, with an
>>>> interface on top of it's existing GIT repository for being able
>>>> to delegate this.
>>> I discussed this with gitosis's author, and he wants to keep
>>> gitosis from becoming "a sourceforge reimplementation."  He did,
>>> however, commit to stamping it 1.0 and putting up a TODO list.
>>> I'd like to package it up for FreeBSD and Fedora, those being two
>>> common platforms.
>> That would be good.
> 
> It *would* be good, if the author seemed even vaguely interested in
> packaging up so much as a tarball, but he is not.  His attitude
> is (paraphrasing from conversations with him the past few days), "it's
> good enough as a git repository, and everybody who's using it is a git
> administrator, so they should know how to wrangle git repositories."
> While he may someday outgrow this, we really should not put him and
> his attitude in critical paths for our project.
> 
> Let's go with git-shell, which is supported and packaged software on
> just about every platform, and stop waiting for Godot^Wgitosis.

I'm not sure I agree that this is a big problem, but sure, we should at
least consider git-shell.

Is there any product out there that makes it possible to admin a
git-shell based system without having all the admins being root on the
server? Because that's simply not an option if you want anything
remotely scalable.


>>>> What do you think of this idea?
>>> It's complicated :(
>>>
>>> Wouldn't it be easier to have a gitosis admin team with the needed
>>> access?
>> Yes, that'd probably be easier, and it's what I'd start the
>> implementation out at.
> 
> Here's an even simpler implementation: git-ssh and public keys.  Yes,
> it involves work by administrators, which I'd be delighted to do.

Are you referring to git-shell, or is this a different product? If so,
reference to said product, please?

I certainly don't mind having the work pushed off to an admin team. But
it has to be automated enough that there is no risk that different
people se tit up differently. And it must not require root. Show me such
a solution, and I'll be happy to consider it :-)

//Magnus

On Mon, Jun 30, 2008 at 01:50:26PM +0200, Magnus Hagander wrote:
> David Fetter wrote:
[gitosis]
> > It *would* be good, if the author seemed even vaguely interested
> > in packaging up so much as a tarball, but he is not.  His attitude
> > is (paraphrasing from conversations with him the past few days),
> > "it's good enough as a git repository, and everybody who's using
> > it is a git administrator, so they should know how to wrangle git
> > repositories." While he may someday outgrow this, we really should
> > not put him and his attitude in critical paths for our project.
> > 
> > Let's go with git-shell, which is supported and packaged software
> > on just about every platform, and stop waiting for Godot^Wgitosis.
> 
> I'm not sure I agree that this is a big problem, but sure, we should
> at least consider git-shell.

Please explain your reasoning here.  The project has taken nasty hits
on its infrastructure already (pgfoundry) because the author of the
software had a go-it-alone, I-know-best attitude that sooner than
later forced us to fork.  As a direct consequence, pgfoundry now needs
a redo that will take a pgfoundry administrator many of work in their
"ample spare time."

Let's not cause more pinch points here.

> Is there any product out there that makes it possible to admin a
> git-shell based system without having all the admins being root on
> the server?  Because that's simply not an option if you want
> anything remotely scalable.

I don't know what you mean by "remotely scalable," but it's clearly
not the same definition I have.  A sudo wrapper which only allows
creation, editing and deletion of accounts restricted to git-shell
will scale just fine.

> > Here's an even simpler implementation: git-ssh and public keys.  Yes,
> > it involves work by administrators, which I'd be delighted to do.
> 
> Are you referring to git-shell, or is this a different product? If so,
> reference to said product, please?

Same.

> I certainly don't mind having the work pushed off to an admin team.
> But it has to be automated enough that there is no risk that
> different people set it up differently.

OK

> And it must not require root.

This is what sudo is built to do :)

> Show me such a solution, and I'll be happy to consider it :-)

1. Create a (set of) program(s) which does exactly the following things:
   * Create an account with git-ssh as its shell.   * Manipulate the contact information, ssh keys and groups of said
account.  * Delete the account.
 

2. Create a unix group and corresponding sudo role that accesses the above.

3. Create shell accounts as needed with the above group.  Yes, that's
a root-only task, but it's a short one.

I believe that the above takes care of 90% or more of tasks.  If it
turns out that we need to automate more, we can add that
(semi)automation to the capabilities above :)

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

"David Fetter" <david@fetter.org> writes:

> Please explain your reasoning here.  The project has taken nasty hits
> on its infrastructure already (pgfoundry) because the author of the
> software had a go-it-alone, I-know-best attitude that sooner than
> later forced us to fork.  As a direct consequence, pgfoundry now needs
> a redo that will take a pgfoundry administrator many of work in their
> "ample spare time."
>
> Let's not cause more pinch points here.

Well sure, but I'm not sure the software used to distribute the program makes
the main difference there. I don't know much about the two programs, what
makes you think one is more of a go-it-alone style of development than the
other?

--  Gregory Stark EnterpriseDB          http://www.enterprisedb.com Get trained by Bruce Momjian - ask me about
EnterpriseDB'sPostgreSQL training!
 

David Fetter wrote:
> On Mon, Jun 30, 2008 at 01:50:26PM +0200, Magnus Hagander wrote:
>> David Fetter wrote:
> [gitosis]
>>> It *would* be good, if the author seemed even vaguely interested
>>> in packaging up so much as a tarball, but he is not.  His attitude
>>> is (paraphrasing from conversations with him the past few days),
>>> "it's good enough as a git repository, and everybody who's using
>>> it is a git administrator, so they should know how to wrangle git
>>> repositories." While he may someday outgrow this, we really should
>>> not put him and his attitude in critical paths for our project.
>>>
>>> Let's go with git-shell, which is supported and packaged software
>>> on just about every platform, and stop waiting for Godot^Wgitosis.
>> I'm not sure I agree that this is a big problem, but sure, we should
>> at least consider git-shell.
> 
> Please explain your reasoning here.  The project has taken nasty hits
> on its infrastructure already (pgfoundry) because the author of the
> software had a go-it-alone, I-know-best attitude that sooner than
> later forced us to fork.  As a direct consequence, pgfoundry now needs
> a redo that will take a pgfoundry administrator many of work in their
> "ample spare time."

If the reason for this is that the software isn't usable, that's one
thing. If it's just the author that considers "a git snapshot is my
release packaging, not a tarball", I don't see how that in itself has
any effect on the quality of the software.

If that's the only thing it's saying, I don't think that in itself is
enough to disqualify gitosis.


>> Is there any product out there that makes it possible to admin a
>> git-shell based system without having all the admins being root on
>> the server?  Because that's simply not an option if you want
>> anything remotely scalable.
> 
> I don't know what you mean by "remotely scalable," but it's clearly
> not the same definition I have.  A sudo wrapper which only allows
> creation, editing and deletion of accounts restricted to git-shell
> will scale just fine.

A properly working sudo wrapper that will let you do *everything needed*
is good enough for me.


>>> Here's an even simpler implementation: git-ssh and public keys.  Yes,
>>> it involves work by administrators, which I'd be delighted to do.
>> Are you referring to git-shell, or is this a different product? If so,
>> reference to said product, please?
> 
> Same.

Ok, good.


>> And it must not require root.
> 
> This is what sudo is built to do :)

Yes.


>> Show me such a solution, and I'll be happy to consider it :-)
> 
> 1. Create a (set of) program(s) which does exactly the following things:
> 
>     * Create an account with git-ssh as its shell.
>     * Manipulate the contact information, ssh keys and groups of said account.
>     * Delete the account.

Rght. Is there a product out there already that lets us do this, or is
it something we need to write ourselves?

You'll also need scripts to create and modify the GIT responsitories
themselves, no?

Since it's sudo, it has to be secure after all, so it's not necessarily
a 2 minute hack.


> 2. Create a unix group and corresponding sudo role that accesses the above.
> 
> 3. Create shell accounts as needed with the above group.  Yes, that's
> a root-only task, but it's a short one.

Um, not following that step. What account are you talking about here?
Creating the accounts for the admins? That's not an issue, since I
assume that's not something that would be done very often :-)



> I believe that the above takes care of 90% or more of tasks.  If it
> turns out that we need to automate more, we can add that
> (semi)automation to the capabilities above :)

As long as it allows it. For example, having a webserver do sudo is not
something that makes me feel very safe (and yes, I've seen solutions
that do that claiming to be secure. And sure, you *can* build them
secure, it's just a lot harder than most people who choose to do it are
aware of)

//Magnus

Hi,

From: David Fetter <david@fetter.org>
Subject: Re: [HACKERS] Git Repository for WITH RECURSIVE and others
Date: Tue, 24 Jun 2008 07:47:13 -0700

> > > With lots of help from Greg Sabino Mullane, I've set up a git
> > > repository for the WITH RECURSIVE patches on
> > > <http://git.postgresql.org/>.
> > 
> > Thank you very much.
> > 
> > I tried git-clone, but I could not access the repository.
> > 
> >   % git-clone git://git.postgresql.org/git/~davidfetter/postgresql/.git
> >   Initialized empty Git repository in /home/y-asaba/x/postgresql/.git/
> >   fatal: The remote end hung up unexpectedly
> >   fetch-pack from 'git://git.postgresql.org/git/~davidfetter/postgresql/.git' failed.
> 
> I ran git-update-server-info on the server, and it should work now. :)

I cannot get yet...
 % cat ~/.gitconfig [user]       name = Yoshiyuki Asaba       email = y-asaba@sraoss.co.jp
 # WITH RECURSIVE repository % git-clone git://git.postgresql.org/git/~davidfetter/postgresql/.git Initialized empty
Gitrepository in /home/y-asaba/x/postgresql/.git/ fatal: The remote end hung up unexpectedly fetch-pack from
'git://git.postgresql.org/git/~davidfetter/postgresql/.git'failed.
 
 # PostgreSQL repository % git clone git://git.postgresql.org/git/postgresql.git Initialized empty Git repository in
/home/y-asaba/git/x/postgresql/.git/fatal: The remote end hung up unexpectedly fetch-pack from
'git://git.postgresql.org/git/postgresql.git'failed.
 
 # another PostgreSQL repository (I can get.) git clone git://repo.or.cz/PostgreSQL.git Initialized empty Git
repositoryin /home/y-asaba/git/x/PostgreSQL/.git/ remote: Counting objects: 323716, done. remote: Compressing objects:
100%(53329/53329), done. ...
 

Regards,
--
Yoshiyuki Asaba
y-asaba@sraoss.co.jp

On Thu, Jul 03, 2008 at 11:16:49AM +0900, Yoshiyuki Asaba wrote:
> Hi,
> 
> From: David Fetter <david@fetter.org>
> Subject: Re: [HACKERS] Git Repository for WITH RECURSIVE and others
> Date: Tue, 24 Jun 2008 07:47:13 -0700
> 
> > > > With lots of help from Greg Sabino Mullane, I've set up a git
> > > > repository for the WITH RECURSIVE patches on
> > > > <http://git.postgresql.org/>.
> > > 
> > > Thank you very much.
> > > 
> > > I tried git-clone, but I could not access the repository.
> > > 
> > >   % git-clone git://git.postgresql.org/git/~davidfetter/postgresql/.git
> > >   Initialized empty Git repository in /home/y-asaba/x/postgresql/.git/
> > >   fatal: The remote end hung up unexpectedly
> > >   fetch-pack from 'git://git.postgresql.org/git/~davidfetter/postgresql/.git' failed.
> > 
> > I ran git-update-server-info on the server, and it should work now. :)
> 
> I cannot get yet...
> 
>   % cat ~/.gitconfig
>   [user]
>         name = Yoshiyuki Asaba
>         email = y-asaba@sraoss.co.jp

I don't have a ~/.gitconfig.  Does it work when you don't use one?
I've run git-update-server-info again, for what that's worth.

Also, what version of git are you using?  I'm using git 1.5.5 without
trouble.

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

At 2008-07-03 11:16:49 +0900, y-asaba@sraoss.co.jp wrote:
>
>   # WITH RECURSIVE repository
>   % git-clone git://git.postgresql.org/git/~davidfetter/postgresql/.git
>   Initialized empty Git repository in /home/y-asaba/x/postgresql/.git/
>   fatal: The remote end hung up unexpectedly

Run git-clone http://git.postgresql.org/git/~davidfetter/postgresql/.git
instead. "git://..." apparently doesn't work on that repository (I don't
know why not).

-- ams

Hi,

From: Abhijit Menon-Sen <ams@oryx.com>
Subject: Re: [HACKERS] Git Repository for WITH RECURSIVE and others
Date: Thu, 3 Jul 2008 09:18:17 +0530

> At 2008-07-03 11:16:49 +0900, y-asaba@sraoss.co.jp wrote:
> >
> >   # WITH RECURSIVE repository
> >   % git-clone git://git.postgresql.org/git/~davidfetter/postgresql/.git
> >   Initialized empty Git repository in /home/y-asaba/x/postgresql/.git/
> >   fatal: The remote end hung up unexpectedly
> 
> Run git-clone http://git.postgresql.org/git/~davidfetter/postgresql/.git
> instead. "git://..." apparently doesn't work on that repository (I don't
> know why not).

Thanks for the advice. I could get the repository via HTTP.

Regards,
--
Yoshiyuki Asaba
y-asaba@sraoss.co.jp

I just had this same problem.

Perhaps the wiki and http://git.postgresql.org/static/serviceinfo.html
should also be updated with the working (i.e. http) URL?

...Robert

On Thu, Jul 3, 2008 at 12:56 AM, Yoshiyuki Asaba <y-asaba@sraoss.co.jp> wrote:
> Hi,
>
> From: Abhijit Menon-Sen <ams@oryx.com>
> Subject: Re: [HACKERS] Git Repository for WITH RECURSIVE and others
> Date: Thu, 3 Jul 2008 09:18:17 +0530
>
>> At 2008-07-03 11:16:49 +0900, y-asaba@sraoss.co.jp wrote:
>> >
>> >   # WITH RECURSIVE repository
>> >   % git-clone git://git.postgresql.org/git/~davidfetter/postgresql/.git
>> >   Initialized empty Git repository in /home/y-asaba/x/postgresql/.git/
>> >   fatal: The remote end hung up unexpectedly
>>
>> Run git-clone http://git.postgresql.org/git/~davidfetter/postgresql/.git
>> instead. "git://..." apparently doesn't work on that repository (I don't
>> know why not).
>
> Thanks for the advice. I could get the repository via HTTP.
>
> Regards,
> --
> Yoshiyuki Asaba
> y-asaba@sraoss.co.jp
>
> --
> Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-hackers
>

On Thu, Jul 03, 2008 at 09:18:17AM +0530, Abhijit Menon-Sen wrote:
> Run git-clone http://git.postgresql.org/git/~davidfetter/postgresql/.git
> instead. "git://..." apparently doesn't work on that repository (I don't
> know why not).

Is this the official recursion archive now? Can we commit there too? I
didn't want to try this without having a real change. :-)

Michael
-- 
Michael Meskes
Email: Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
ICQ: 179140304, AIM/Yahoo: michaelmeskes, Jabber: meskes@jabber.org
Go VfL Borussia! Go SF 49ers! Use Debian GNU/Linux! Use PostgreSQL!

On Sun, Jul 06, 2008 at 02:58:38PM +0200, Michael Meskes wrote:
> On Thu, Jul 03, 2008 at 09:18:17AM +0530, Abhijit Menon-Sen wrote:
> > Run git-clone
> > http://git.postgresql.org/git/~davidfetter/postgresql/.git
> > instead. "git://..." apparently doesn't work on that repository (I
> > don't know why not).
> 
> Is this the official recursion archive now?

I don't know about official, but it's available :)

> Can we commit there too?  I didn't want to try this without having a
> real change. :-)

If you send me a public key, I can put it there.  That way, you'll be
able to get in as davidfetter.

Cheers,
David (hoping to close this one out soon on account of its being
committed :)
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

On Mon, Jun 30, 2008 at 05:30:19PM +0200, Magnus Hagander wrote:
> David Fetter wrote:
> > On Mon, Jun 30, 2008 at 01:50:26PM +0200, Magnus Hagander wrote:
> >> David Fetter wrote:
> > [gitosis]
> >> I'm not sure I agree that this is a big problem, but sure, we
> >> should at least consider git-shell.
> > 
> > Please explain your reasoning here.  The project has taken nasty
> > hits on its infrastructure already (pgfoundry) because the author
> > of the software had a go-it-alone, I-know-best attitude that
> > sooner than later forced us to fork.  As a direct consequence,
> > pgfoundry now needs a redo that will take a pgfoundry
> > administrator many of work in their "ample spare time."
> 
> If the reason for this is that the software isn't usable, that's one
> thing.  If it's just the author that considers "a git snapshot is my
> release packaging, not a tarball", I don't see how that in itself
> has any effect on the quality of the software.

You don't?  You have *got* to be joking.

> If that's the only thing it's saying, I don't think that in itself
> is enough to disqualify gitosis.

The author's got a haughty disinterest in having anybody else ever
participated in gitosis development.  That's a show-stopper, totally
independent of the current code.

> >> Is there any product out there that makes it possible to admin a
> >> git-shell based system without having all the admins being root on
> >> the server?  Because that's simply not an option if you want
> >> anything remotely scalable.
> > 
> > I don't know what you mean by "remotely scalable," but it's clearly
> > not the same definition I have.  A sudo wrapper which only allows
> > creation, editing and deletion of accounts restricted to git-shell
> > will scale just fine.
> 
> A properly working sudo wrapper that will let you do *everything needed*
> is good enough for me.

We can make one of those, and it doesn't have to--can't be--perfect
the first time through because we will find capabilities it needs and
ones we supplied that it doesn't.

> >> Show me such a solution, and I'll be happy to consider it :-)
> > 
> > 1. Create a (set of) program(s) which does exactly the following things:
> > 
> >     * Create an account with git-ssh as its shell.
> >     * Manipulate the contact information, ssh keys and groups of said account.
> >     * Delete the account.
> 
> Rght. Is there a product out there already that lets us do this, or is
> it something we need to write ourselves?
> 
> You'll also need scripts to create and modify the GIT responsitories
> themselves, no?
> 
> Since it's sudo, it has to be secure after all, so it's not necessarily
> a 2 minute hack.

The more I think about this, the more it looks like admin tasks and
not like tools.  We don't know enough about what's actually going to
be going on to create such tools yet.

> > 2. Create a unix group and corresponding sudo role that accesses the above.
> > 
> > 3. Create shell accounts as needed with the above group.  Yes, that's
> > a root-only task, but it's a short one.
> 
> Um, not following that step.  What account are you talking about here?
> Creating the accounts for the admins?

Per-project accounts.

> That's not an issue, since I assume that's not something that would
> be done very often :-)
> 
> > I believe that the above takes care of 90% or more of tasks.  If
> > it turns out that we need to automate more, we can add that
> > (semi)automation to the capabilities above :)
> 
> As long as it allows it.  For example, having a webserver do sudo is
> not something that makes me feel very safe (and yes, I've seen
> solutions that do that claiming to be secure.  And sure, you *can*
> build them secure, it's just a lot harder than most people who
> choose to do it are aware of)

You've brought up security, and that's just great.  Now that you've
brought it up, how about sketching out a threat model?  It's only
possible to discuss security measures with reference to a threat
model.

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate