gitolite/README.mkd

# gitolite

>   [Update 2009-10-28: apart from all the nifty new features, there's now an
>   "easy install" script in the src directory.  This script can be used to
>   install as well as upgrade a gitolite install.  Please see the INSTALL
>   document for details]

----

Gitolite is a rewrite of gitosis, with a completely different config file that
allows (at last!) access control down to the branch level, including
specifying who can and cannot *rewind* a given branch.

In this document:

  * what
  * why
  * extra features
  * security
  * contact and license

----

### what

Gitolite allows a server to host many git repositories and provide access to
many developers, without having to give them real userids on the server.  The
essential magic in doing this is ssh's pubkey access and the `authorized_keys`
file, and the inspiration was an older program called gitosis.

Gitolite can restrict who can read from (clone/fetch) or write to (push) a
repository.  It can also restrict who can push to what branch or tag, which is
very important in a corporate environment.  Gitolite can be installed without
requiring root permissions, and with no additional software than git itself
and perl.  It also has several other neat features described below and
elsewhere in the `doc/` directory.

### why

I have been using gitosis for a while, and have learnt a lot from it.  But in
a typical $DAYJOB setting, there are some issues:

  * it's not always Linux; you can't just "urpmi gitosis" (or yum or apt-get)
    and be done
  * often, "python-setuptools" isn't installed (and on a Solaris9 I was trying
    to help remotely, we never did manage to install it eventually)
  * you don't have root access, or the ability to add users (this is also true
    for people who have just one userid on a hosting provider)
  * the most requested feature (see below) had to be written anyway

All of this pointed to a rewrite.  In perl, naturally :-)

### extra features

The most important feature I needed was **per-branch permissions**.  This is
pretty much mandatory in a corporate environment, and is almost the single
reason I started *thinking* about rolling my own gitosis in the first place.

It's not just "read-only" versus "read-write".  Rewinding a branch (aka "non
fast forward push") is potentially dangerous, but sometimes needed.  So is
deleting a branch (which is really just an extreme form of rewind).  I needed
something in between allowing anyone to do it (the default) and disabling it
completely (`receive.denyNonFastForwards` or `receive.denyDeletes`).

Here're **some more features**.  All of them, and more, are documented in
detail [here][gsdiff].

[gsdiff]: http://github.com/sitaramc/gitolite/blob/pu/doc/3-faq-tips-etc.mkd#diff

  * simpler, yet far more powerful, config file syntax, including specifying
    gitweb/daemon access.  You'll need this power if you manage lots of
    users+repos+combinations of access
  * apart from branch-name based restrictions, you can also restrict by
    file/dir name changed (i.e., output of `git diff --name-only`)
  * config file syntax gets checked upfront, and much more thoroughly
  * if your requirements are still too complex, you can split up the config
    file and delegate authority over parts of it
  * easier to specify gitweb owner, description and gitweb/daemon access
  * easier to sync gitweb (http) authorisation with gitolite's access config
  * more comprehensive logging [aka: management does not think "blame" is just
    a synonym for "annotate" :-)]
  * "personal namespace" prefix for each dev
  * migration guide and simple converter for gitosis conf file
  * "exclude" (or "deny") rights at the branch/tag level

### security

Due to the environment in which this was created and the need it fills, I
consider this a "security" program, albeit a very modest one.

For the first person to find a security hole in it, defined as allowing a
normal user (not the gitolite admin) to read a repo, or write/rewind a ref,
that the config file says he shouldn't, and caused by a bug in *code* that is
in the "master" branch, (not in the other branches, or the configuration file
or in Unix, perl, shell, etc.)...  well I can't afford 1000 USD rewards like
djb, so you'll have to settle for 1000 INR (Indian Rupees) as a "token" prize
:-)

However, there are a few optional features (which must be explicitly enabled
in the RC file) where I just haven't had the time to reason about security
thoroughly enough.  Please read the comments in `conf/example.gitolite.rc` for
details, looking for the word "security".

----

### contact and license

Gitolite is released under GPL v2.  See COPYING for details.

sitaramc@gmail.com
mailing list: gitolite@googlegroups.com
project renamed to gitolite 2009-08-26 02:47:27 +02:00			`# gitolite`
added README and TODO 2009-08-24 03:59:25 +02:00
doc/src: major doc/help text revamp also removed some dead code from compile (pre PTA days) 2009-10-30 16:55:06 +01:00			`> [Update 2009-10-28: apart from all the nifty new features, there's now an`
			`> "easy install" script in the src directory. This script can be used to`
			`> install as well as upgrade a gitolite install. Please see the INSTALL`
fold rebel into master :) [please read] Well, something even more outrageous than deny rules and path-based limits came along, so I decided that "rebel" was actually quite "conformist" in comparision ;-) Jokes apart, the fact is that the access control rules, even when using deny rules and path-limits, are still auditable. Which means it is good enough for "corporate use". [The stuff that I'm working on now takes away the auditability aspect -- individual users can "own" repos, create rules for themselves, etc. So let's just say that is the basis of distinguishing "master" now.] 2009-12-01 02:45:05 +01:00			`> document for details]`
aa ha! easy install script! src/00-easy-install.sh does everything needed, and it's mostly self-documented 2009-10-10 09:08:22 +02:00
almost all src/conf: logging totally redone, upgrade doc added - logs go into $GL_ADMINDIR/logs by default, named by year-month - logfile name template (including dir prefix) now in $GL_LOGT - two new env vars passed down: GL_TS and GL_LOG (timestamp, logfilename) - log messages timestamps more compact, fields tab-delimited - old and new SHAs cut to 14 characters 2009-09-06 10:04:41 +02:00			`----`

lots of doc changes reflecting "push to admin" is default now :) - added comments to easy install to help do it manually - README: some stuff moved to tips doc, brief summary of extras (over gitosis) added - INSTALL: major revamp, easy install and manual install, much shorter and much more readable! plus other docs changed as needed, and updated the tips doc to roll in some details from "update.mkd" in the "ml" branch 2009-10-11 05:01:59 +02:00			`Gitolite is a rewrite of gitosis, with a completely different config file that`
			`allows (at last!) access control down to the branch level, including`
			`specifying who can and cannot rewind a given branch.`
INSTALL and README pretty much done 2009-08-24 09:59:33 +02:00
added README and TODO 2009-08-24 03:59:25 +02:00			`In this document:`

doc fixes... - README: add a "what" section first, plus a few minor fixes - doc/5: - remove reference to obsolete ml branch URL; point it to the right place with the right section name - change text to reflect the fact that p-t-a is now the default! 2009-10-14 10:39:34 +02:00			`* what`
INSTALL and README pretty much done 2009-08-24 09:59:33 +02:00			`* why`
doc fixes... - README: add a "what" section first, plus a few minor fixes - doc/5: - remove reference to obsolete ml branch URL; point it to the right place with the right section name - change text to reflect the fact that p-t-a is now the default! 2009-10-14 10:39:34 +02:00			`* extra features`
lots of doc changes reflecting "push to admin" is default now :) - added comments to easy install to help do it manually - README: some stuff moved to tips doc, brief summary of extras (over gitosis) added - INSTALL: major revamp, easy install and manual install, much shorter and much more readable! plus other docs changed as needed, and updated the tips doc to roll in some details from "update.mkd" in the "ml" branch 2009-10-11 05:01:59 +02:00			`* security`
			`* contact and license`
added README and TODO 2009-08-24 03:59:25 +02:00
			`----`

doc fixes... - README: add a "what" section first, plus a few minor fixes - doc/5: - remove reference to obsolete ml branch URL; point it to the right place with the right section name - change text to reflect the fact that p-t-a is now the default! 2009-10-14 10:39:34 +02:00			`### what`

			`Gitolite allows a server to host many git repositories and provide access to`
			`many developers, without having to give them real userids on the server. The`
			essential magic in doing this is ssh's pubkey access and the `authorized_keys`
			`file, and the inspiration was an older program called gitosis.`

			`Gitolite can restrict who can read from (clone/fetch) or write to (push) a`
			`repository. It can also restrict who can push to what branch or tag, which is`
			`very important in a corporate environment. Gitolite can be installed without`
			`requiring root permissions, and with no additional software than git itself`
			`and perl. It also has several other neat features described below and`
			elsewhere in the `doc/` directory.

INSTALL and README pretty much done 2009-08-24 09:59:33 +02:00			`### why`

			`I have been using gitosis for a while, and have learnt a lot from it. But in`
			`a typical $DAYJOB setting, there are some issues:`
added README and TODO 2009-08-24 03:59:25 +02:00
INSTALL and README pretty much done 2009-08-24 09:59:33 +02:00			`* it's not always Linux; you can't just "urpmi gitosis" (or yum or apt-get)`
			`and be done`
			`* often, "python-setuptools" isn't installed (and on a Solaris9 I was trying`
			`to help remotely, we never did manage to install it eventually)`
lots of doc changes reflecting "push to admin" is default now :) - added comments to easy install to help do it manually - README: some stuff moved to tips doc, brief summary of extras (over gitosis) added - INSTALL: major revamp, easy install and manual install, much shorter and much more readable! plus other docs changed as needed, and updated the tips doc to roll in some details from "update.mkd" in the "ml" branch 2009-10-11 05:01:59 +02:00			`* you don't have root access, or the ability to add users (this is also true`
			`for people who have just one userid on a hosting provider)`
doc fixes... - README: add a "what" section first, plus a few minor fixes - doc/5: - remove reference to obsolete ml branch URL; point it to the right place with the right section name - change text to reflect the fact that p-t-a is now the default! 2009-10-14 10:39:34 +02:00			`* the most requested feature (see below) had to be written anyway`
added README and TODO 2009-08-24 03:59:25 +02:00
INSTALL and README pretty much done 2009-08-24 09:59:33 +02:00			`All of this pointed to a rewrite. In perl, naturally :-)`
added README and TODO 2009-08-24 03:59:25 +02:00
doc fixes... - README: add a "what" section first, plus a few minor fixes - doc/5: - remove reference to obsolete ml branch URL; point it to the right place with the right section name - change text to reflect the fact that p-t-a is now the default! 2009-10-14 10:39:34 +02:00			`### extra features`
added README and TODO 2009-08-24 03:59:25 +02:00
doc fixes... - README: add a "what" section first, plus a few minor fixes - doc/5: - remove reference to obsolete ml branch URL; point it to the right place with the right section name - change text to reflect the fact that p-t-a is now the default! 2009-10-14 10:39:34 +02:00			`The most important feature I needed was per-branch permissions. This is`
			`pretty much mandatory in a corporate environment, and is almost the single`
			`reason I started thinking about rolling my own gitosis in the first place.`
INSTALL and README pretty much done 2009-08-24 09:59:33 +02:00
README: added para about selective rewind, plus some minor fixes 2009-08-28 14:59:05 +02:00			`It's not just "read-only" versus "read-write". Rewinding a branch (aka "non`
			`fast forward push") is potentially dangerous, but sometimes needed. So is`
			`deleting a branch (which is really just an extreme form of rewind). I needed`
			`something in between allowing anyone to do it (the default) and disabling it`
			completely (`receive.denyNonFastForwards` or `receive.denyDeletes`).

doc/src: major doc/help text revamp also removed some dead code from compile (pre PTA days) 2009-10-30 16:55:06 +01:00			`Here're some more features. All of them, and more, are documented in`
			`detail [here][gsdiff].`

			`[gsdiff]: http://github.com/sitaramc/gitolite/blob/pu/doc/3-faq-tips-etc.mkd#diff`
lots of doc changes reflecting "push to admin" is default now :) - added comments to easy install to help do it manually - README: some stuff moved to tips doc, brief summary of extras (over gitosis) added - INSTALL: major revamp, easy install and manual install, much shorter and much more readable! plus other docs changed as needed, and updated the tips doc to roll in some details from "update.mkd" in the "ml" branch 2009-10-11 05:01:59 +02:00
			`* simpler, yet far more powerful, config file syntax, including specifying`
doc fixes... - README: add a "what" section first, plus a few minor fixes - doc/5: - remove reference to obsolete ml branch URL; point it to the right place with the right section name - change text to reflect the fact that p-t-a is now the default! 2009-10-14 10:39:34 +02:00			`gitweb/daemon access. You'll need this power if you manage lots of`
			`users+repos+combinations of access`
mention NAME-based restrictions in README 2010-01-15 06:10:07 +01:00			`* apart from branch-name based restrictions, you can also restrict by`
			file/dir name changed (i.e., output of `git diff --name-only`)
lots of doc changes reflecting "push to admin" is default now :) - added comments to easy install to help do it manually - README: some stuff moved to tips doc, brief summary of extras (over gitosis) added - INSTALL: major revamp, easy install and manual install, much shorter and much more readable! plus other docs changed as needed, and updated the tips doc to roll in some details from "update.mkd" in the "ml" branch 2009-10-11 05:01:59 +02:00			`* config file syntax gets checked upfront, and much more thoroughly`
			`* if your requirements are still too complex, you can split up the config`
			`file and delegate authority over parts of it`
docs: document how to specify "owner" for gitweb 2009-11-27 09:17:21 +01:00			`* easier to specify gitweb owner, description and gitweb/daemon access`
README, doc/3: gitweb "description" feature 2009-11-18 02:48:05 +01:00			`* easier to sync gitweb (http) authorisation with gitolite's access config`
lots of doc changes reflecting "push to admin" is default now :) - added comments to easy install to help do it manually - README: some stuff moved to tips doc, brief summary of extras (over gitosis) added - INSTALL: major revamp, easy install and manual install, much shorter and much more readable! plus other docs changed as needed, and updated the tips doc to roll in some details from "update.mkd" in the "ml" branch 2009-10-11 05:01:59 +02:00			`* more comprehensive logging [aka: management does not think "blame" is just`
			`a synonym for "annotate" :-)]`
			`* "personal namespace" prefix for each dev`
			`* migration guide and simple converter for gitosis conf file`
fold rebel into master :) [please read] Well, something even more outrageous than deny rules and path-based limits came along, so I decided that "rebel" was actually quite "conformist" in comparision ;-) Jokes apart, the fact is that the access control rules, even when using deny rules and path-limits, are still auditable. Which means it is good enough for "corporate use". [The stuff that I'm working on now takes away the auditability aspect -- individual users can "own" repos, create rules for themselves, etc. So let's just say that is the basis of distinguishing "master" now.] 2009-12-01 02:45:05 +01:00			`* "exclude" (or "deny") rights at the branch/tag level`
lots of doc changes reflecting "push to admin" is default now :) - added comments to easy install to help do it manually - README: some stuff moved to tips doc, brief summary of extras (over gitosis) added - INSTALL: major revamp, easy install and manual install, much shorter and much more readable! plus other docs changed as needed, and updated the tips doc to roll in some details from "update.mkd" in the "ml" branch 2009-10-11 05:01:59 +02:00
			`### security`

			`Due to the environment in which this was created and the need it fills, I`
(IMPORTANT; read this in full) no more "wildrepos" The wildrepos branch has been merged into master, and deleted. It will no longer exist as a separate branch. Instead, a new variable called $GL_WILDREPOS has been added which acts as a switch; when off (which is the default), many wildrepos features are disabled. (the "C" permissions, and the getperms (etc.) commands mainly). Important: if you are using wildrepos, please set "$GL_WILDREPOS = 1;" in the RC file when you upgrade to this version (or just before you do the upgrade). 2010-02-05 11:30:47 +01:00			`consider this a "security" program, albeit a very modest one.`
lots of doc changes reflecting "push to admin" is default now :) - added comments to easy install to help do it manually - README: some stuff moved to tips doc, brief summary of extras (over gitosis) added - INSTALL: major revamp, easy install and manual install, much shorter and much more readable! plus other docs changed as needed, and updated the tips doc to roll in some details from "update.mkd" in the "ml" branch 2009-10-11 05:01:59 +02:00
			`For the first person to find a security hole in it, defined as allowing a`
			`normal user (not the gitolite admin) to read a repo, or write/rewind a ref,`
			`that the config file says he shouldn't, and caused by a bug in code that is`
			`in the "master" branch, (not in the other branches, or the configuration file`
			`or in Unix, perl, shell, etc.)... well I can't afford 1000 USD rewards like`
			`djb, so you'll have to settle for 1000 INR (Indian Rupees) as a "token" prize`
			`:-)`
added README and TODO 2009-08-24 03:59:25 +02:00
(IMPORTANT; read this in full) no more "wildrepos" The wildrepos branch has been merged into master, and deleted. It will no longer exist as a separate branch. Instead, a new variable called $GL_WILDREPOS has been added which acts as a switch; when off (which is the default), many wildrepos features are disabled. (the "C" permissions, and the getperms (etc.) commands mainly). Important: if you are using wildrepos, please set "$GL_WILDREPOS = 1;" in the RC file when you upgrade to this version (or just before you do the upgrade). 2010-02-05 11:30:47 +01:00			`However, there are a few optional features (which must be explicitly enabled`
			`in the RC file) where I just haven't had the time to reason about security`
			thoroughly enough. Please read the comments in `conf/example.gitolite.rc` for
			`details, looking for the word "security".`
(read this in full) access control for non-git commands running over ssh This is actually a pretty big deal, and I am seriously starting wonder if calling this "gitolite" is justified anymore. Anyway, in for a penny, in for a pound... This patch implements a generic way to allow access control for external commands, as long as they are invoked via ssh and present a server-side command that contains enough information to make an access control decision. The first (and only, so far) such command implemented is rsync. Please read the changes in this commit (at least the ones in conf/ and doc/) carefully. 2010-01-31 15:54:36 +01:00
lots of doc changes reflecting "push to admin" is default now :) - added comments to easy install to help do it manually - README: some stuff moved to tips doc, brief summary of extras (over gitosis) added - INSTALL: major revamp, easy install and manual install, much shorter and much more readable! plus other docs changed as needed, and updated the tips doc to roll in some details from "update.mkd" in the "ml" branch 2009-10-11 05:01:59 +02:00			`----`
added README and TODO 2009-08-24 03:59:25 +02:00
lots of doc changes reflecting "push to admin" is default now :) - added comments to easy install to help do it manually - README: some stuff moved to tips doc, brief summary of extras (over gitosis) added - INSTALL: major revamp, easy install and manual install, much shorter and much more readable! plus other docs changed as needed, and updated the tips doc to roll in some details from "update.mkd" in the "ml" branch 2009-10-11 05:01:59 +02:00			`### contact and license`
README: added para about selective rewind, plus some minor fixes 2009-08-28 14:59:05 +02:00
lots of doc changes reflecting "push to admin" is default now :) - added comments to easy install to help do it manually - README: some stuff moved to tips doc, brief summary of extras (over gitosis) added - INSTALL: major revamp, easy install and manual install, much shorter and much more readable! plus other docs changed as needed, and updated the tips doc to roll in some details from "update.mkd" in the "ml" branch 2009-10-11 05:01:59 +02:00			`Gitolite is released under GPL v2. See COPYING for details.`
README: added para about selective rewind, plus some minor fixes 2009-08-28 14:59:05 +02:00
			`sitaramc@gmail.com`
created gitolite@googlegroups.com, updated README enough people told me they want one because they don't watch the git ML or it's too high traffic, so I finally made one and invited a few folks. 2010-03-19 02:47:44 +01:00			`mailing list: gitolite@googlegroups.com`