Re: Switching to Git

Re: Switching to Git

[Sam Vilain]

Ævar Arnfjörð Bjarmason wrote:
> Yes see [1] it works but the list members wanted some tool to manage
> passwords too which I didn't pursue since it worked for me in its
> present form.
> 
> 1. http://lists-archives.org/git/640574-authentication-support-for-pserver.html

Cool, well done.  Having re-read that thread, I think Martin Langhoff's
response
http://lists-archives.org/git/641074-authentication-support-for-pserver.html
is the most pertinent.  I didn't see any requests for an actual tool to
be written, just that the password file be separate to the git config
file, and/or use crypt() to store its contents.  Perhaps point them at
"htpasswd" if they want a tool :)

This patch is untested and sits on top of the previous patch by Ævar.
Pullable from git://git.catalyst.net.nz/git.git#cvsserver-auth

Subject: [PATCH] git-cvsserver: use a password file cvsserver pserver

If a git repository is shared via HTTP, the config file is typically
visible.  Use an external file instead.
---
 Documentation/git-cvsserver.txt |   21 ++++++++++++++++-----
 git-cvsserver.perl              |   27 ++++++++++++++-------------
 2 files changed, 30 insertions(+), 18 deletions(-)

diff --git a/Documentation/git-cvsserver.txt b/Documentation/git-cvsserver.txt
index 98183d4..c642f12 100644
--- a/Documentation/git-cvsserver.txt
+++ b/Documentation/git-cvsserver.txt
@@ -97,16 +97,27 @@ looks like
 ------
 
 Only anonymous access is provided by pserve by default. To commit you
-will have to create pserver accounts, simply add a [gitcvs.users]
-section to the repositories you want to access, for example:
+will have to create pserver accounts, simply add a gitcvs.authdb
+setting in the config file of the repositories you want the cvsserver
+to allow writes to, for example:
 
 ------
    
-   [gitcvs.users]
-        someuser = somepassword
-        otheruser = otherpassword
+   [gitcvs]
+        authdb = /etc/cvsserver/passwd
    
 ------
+The format of these files is username followed by the crypted password,
+for example:
+
+------
+   myuser:$1Oyx5r9mdGZ2
+   myuser:$1$BA)@$vbnMJMDym7tA32AamXrm./
+------
+You can use the 'htpasswd' facility that comes with Apache to make these
+files, but Apache's MD5 crypt method differs from the one used by most C
+library's crypt() function, so don't use the -m option.
+
 Then provide your password via the pserver method, for example:
 ------
    cvs -d:pserver:someuser:somepassword <at> server/path/repo.git co <HEAD_name>
diff --git a/git-cvsserver.perl b/git-cvsserver.perl
index 9bc2ff5..e54cbcd 100755
--- a/git-cvsserver.perl
+++ b/git-cvsserver.perl
@@ -156,24 +156,25 @@ if ($state->{method} eq 'pserver') {
 
     unless ($user eq 'anonymous') {
         # Trying to authenticate a user
-        if (not exists $cfg->{gitcvs}->{users}) {
-            print "E the repo config file needs a [gitcvs.users] section with user/password key-value pairs\n";
+        if (not exists $cfg->{gitcvs}->{authdb}) {
+            print "E the repo config file needs a [gitcvs.authdb] section with a filename\n";
             print "I HATE YOU\n";
             exit 1;
-        } elsif (exists $cfg->{gitcvs}->{users} and not exists $cfg->{gitcvs}->{users}->{$user}) {
-            #print "E the repo config file has a [gitcvs.users] section but the user $user is not defined in it\n";
+        }
+	my $auth_ok;
+	open PASSWD, "<$cfg->{gitcvs}->{authdb}" or die $!;
+	while(<PASSWD>) {
+	    if (m{^\Q$user\E:(.*)}) {
+		if (crypt($user, $1) eq $1) {
+		    $auth_ok = 1;
+		}
+	    };
+	}
+	unless ($auth_ok) {
             print "I HATE YOU\n";
             exit 1;
-        } else {
-            my $descrambled_password = descramble($password);
-            my $cleartext_password = $cfg->{gitcvs}->{users}->{$user};
-            if ($descrambled_password ne $cleartext_password) {
-                #print "E The password supplied for user $user was incorrect\n";
-                print "I HATE YOU\n";
-                exit 1;
-            }
-            # else fall through to LOVE
         }
+        # else fall through to LOVE
     }
 
     # For checking whether the user is anonymous on commit
-- 
1.5.3.5

Re: Switching to Git

[Ævar Arnfjörð Bjarmason]

On 3/6/08, Sam Vilain <sam@vilain.net> wrote:
> Ævar Arnfjörð Bjarmason wrote:
> > Yes see [1] it works but the list members wanted some tool to manage
> > passwords too which I didn't pursue since it worked for me in its
> > present form.
> >
> > 1.
> http://lists-archives.org/git/640574-authentication-support-for-pserver.html
>
> Cool, well done. Having re-read that thread, I think Martin Langhoff's
> response
> http://lists-archives.org/git/641074-authentication-support-for-pserver.html
> is the most pertinent. I didn't see any requests for an actual tool to
> be written, just that the password file be separate to the git config
> file, and/or use crypt() to store its contents. Perhaps point them at
> "htpasswd" if they want a tool :)

I was refering to http://www.spinics.net/lists/git/msg53054.html

But yes, your crypt() method should do. I made some cleanups to your
patch so it works now, you can pull the changes from
git://git.nix.is/avar/git if you'd like.

I'm submitting this to the git list again.

</wildly off-topic>

Re: Switching to Git

[Ævar Arnfjörð Bjarmason]

Sam Vilain <sam@vilain.net> writes:

> Ævar Arnfjörð Bjarmason wrote:
>> Yes see [1] it works but the list members wanted some tool to manage
>> passwords too which I didn't pursue since it worked for me in its
>> present form.
>> 
>> 1. http://lists-archives.org/git/640574-authentication-support-for-pserver.html
>
> Cool, well done.  Having re-read that thread, I think Martin Langhoff's
> response
> http://lists-archives.org/git/641074-authentication-support-for-pserver.html
> is the most pertinent.  I didn't see any requests for an actual tool to
> be written, just that the password file be separate to the git config
> file, and/or use crypt() to store its contents.  Perhaps point them at
> "htpasswd" if they want a tool :)
>
> This patch is untested and sits on top of the previous patch by Ævar.
> Pullable from git://git.catalyst.net.nz/git.git#cvsserver-auth
>
> Subject: [PATCH] git-cvsserver: use a password file cvsserver pserver
>
> If a git repository is shared via HTTP, the config file is typically
> visible.  Use an external file instead.
> ---
>  Documentation/git-cvsserver.txt |   21 ++++++++++++++++-----
>  git-cvsserver.perl              |   27 ++++++++++++++-------------
>  2 files changed, 30 insertions(+), 18 deletions(-)
>
> diff --git a/Documentation/git-cvsserver.txt b/Documentation/git-cvsserver.txt
> index 98183d4..c642f12 100644
> --- a/Documentation/git-cvsserver.txt
> +++ b/Documentation/git-cvsserver.txt
> @@ -97,16 +97,27 @@ looks like
>  ------
>  
>  Only anonymous access is provided by pserve by default. To commit you
> -will have to create pserver accounts, simply add a [gitcvs.users]
> -section to the repositories you want to access, for example:
> +will have to create pserver accounts, simply add a gitcvs.authdb
> +setting in the config file of the repositories you want the cvsserver
> +to allow writes to, for example:
>  
>  ------
>     
> -   [gitcvs.users]
> -        someuser = somepassword
> -        otheruser = otherpassword
> +   [gitcvs]
> +        authdb = /etc/cvsserver/passwd
>     
>  ------
> +The format of these files is username followed by the crypted password,
> +for example:
> +
> +------
> +   myuser:$1Oyx5r9mdGZ2
> +   myuser:$1$BA)@$vbnMJMDym7tA32AamXrm./
> +------
> +You can use the 'htpasswd' facility that comes with Apache to make these
> +files, but Apache's MD5 crypt method differs from the one used by most C
> +library's crypt() function, so don't use the -m option.
> +
>  Then provide your password via the pserver method, for example:
>  ------
>     cvs -d:pserver:someuser:somepassword <at> server/path/repo.git co <HEAD_name>
> diff --git a/git-cvsserver.perl b/git-cvsserver.perl
> index 9bc2ff5..e54cbcd 100755
> --- a/git-cvsserver.perl
> +++ b/git-cvsserver.perl
> @@ -156,24 +156,25 @@ if ($state->{method} eq 'pserver') {
>  
>      unless ($user eq 'anonymous') {
>          # Trying to authenticate a user
> -        if (not exists $cfg->{gitcvs}->{users}) {
> -            print "E the repo config file needs a [gitcvs.users] section with user/password key-value pairs\n";
> +        if (not exists $cfg->{gitcvs}->{authdb}) {
> +            print "E the repo config file needs a [gitcvs.authdb] section with a filename\n";
>              print "I HATE YOU\n";
>              exit 1;
> -        } elsif (exists $cfg->{gitcvs}->{users} and not exists $cfg->{gitcvs}->{users}->{$user}) {
> -            #print "E the repo config file has a [gitcvs.users] section but the user $user is not defined in it\n";
> +        }
> +	my $auth_ok;
> +	open PASSWD, "<$cfg->{gitcvs}->{authdb}" or die $!;
> +	while(<PASSWD>) {
> +	    if (m{^\Q$user\E:(.*)}) {
> +		if (crypt($user, $1) eq $1) {
> +		    $auth_ok = 1;
> +		}
> +	    };
> +	}
> +	unless ($auth_ok) {
>              print "I HATE YOU\n";
>              exit 1;
> -        } else {
> -            my $descrambled_password = descramble($password);
> -            my $cleartext_password = $cfg->{gitcvs}->{users}->{$user};
> -            if ($descrambled_password ne $cleartext_password) {
> -                #print "E The password supplied for user $user was incorrect\n";
> -                print "I HATE YOU\n";
> -                exit 1;
> -            }
> -            # else fall through to LOVE
>          }
> +        # else fall through to LOVE
>      }
>  
>      # For checking whether the user is anonymous on commit
> -- 
> 1.5.3.5

Ah, I didn't notice that this got crossposted, here, anyway I've cleaned
up this patch a bit and submitted it in reply to the original thread
[1].

1. http://article.gmane.org/gmane.comp.version-control.git/76446/match=bjarmason

Switching to GIT.

[David Woodhouse]

I think it's about time for us to switch to git -- the CVS repository
isn't really working too well. It was OK for a long time because I could
let people play with things in CVS and then clean it up to merge it
upstream, but that hasn't really worked for us with recent JFFS2
changes, partly because I haven't had much time to do that and the
changes have been too intrusive for me to keep up with them properly.

I think the better way to do things like that would be for people to
have their own git tree with stuff like EBH, xattr support, and then
others can use it from there -- it doesn't have to be merged directly
into CVS _first_. Once it's all working and stable, _then_ we can merge
it into the main tree.

I'd also like to retire the machine which is cvs.infradead.org at some
point, so the git service is all on pentafluge.infradead.org (aka
git.infradead.org). If you don't have an account there yet, you'll need
to ask me to set it up for you.

Users can create git trees in their ~/public_git/treename.git which will
be publicly accessible as git://git.infradead.org/~whoever/treename.git 

There's a clean copy of Linus' kernel tree in /home/git/linux-2.6.git
which is updated nightly, and also the 'official' MTD tree next to it --
please clone from one of those using 'alternates' instead of creating an
entirely new tree with all its own objects. For example:
     git-clone -l -n -s --bare /home/git/linux-2.6.git blah-2.6.git

There's also gitweb running on http://git.infradead.org/ but it doesn't
scan the users' home directories yet. Feel free to send me patches
against gitweb.cgi.

The MTD tree is now at git://git.infradead.org/mtd-2.6.git and the
utilities are at git://git.infradead.org/mtd-utils.git

The latter has just been imported directly from CVS and probably doesn't
build yet. The former is currently a clean copy of Linus' tree -- I'll
be cherry-picking some stuff from CVS shortly.

I haven't yet sorted out a script to feed the commits list, although it
shouldn't be hard. It's just a special case of the one I already use to
feed the git-commits lists on kernel.org.

-- 
dwmw2

Re: Switching to GIT.

[David Woodhouse]

On Tue, 2006-04-11 at 19:28 -0400, David Woodhouse wrote:
> There's also gitweb running on http://git.infradead.org/ but it
> doesn't scan the users' home directories yet. Feel free to send me
> patches against gitweb.cgi.

This is now fixed -- users' public_git directories are scanned by a cron
job every five minutes and an index is created. We only look for _bare_
repositories _directly_ under your ~/public_git directory -- i.e. the
script looks for ~/public_git/*/HEAD files.

If you have a deeper directory structure, or if your repository isn't a
bare repository, then it won't find your trees. It also won't find them
if your home directory isn't world-executable.

The switch to git seems to be working out OK so far. It should be fairly
simple for anyone to create git trees and ask me to pull from them --
I'd prefer that rather than patches in mail, if possible. Please make
sure your tree is based on the current contents of the mtd-2.6.git tree
though, to reduce the number of merges we have.

-- 
dwmw2