you might wonder why these are different from all the other variables in
the rc file... it's just that I never thought people would want to
change these!
This new adc allows you to run arbitrary git commands on the server.
It is disabled by default, and you have to READ ALL INSTRUCTIONS **AND**
SOURCE CODE BEFORE DEPLOYING.
This patch is dedicated to the person who, when referred to [1] for
gitweb access help, assumed we're talking about a Unix userid called
"gitweb" and said it still doesn't work. He looked at the description
examples and wasn't sure what to do with them. Finally, he missed the
sentence "All gitolite does is:" in the document, and assumed *he* was
supposed to do what the next 3 bullets said (in this case, create the
"description" file manually).
He didn't once think of the gitolite.conf file as being the location for
these instructions, or that "give read access" means "R = ..." instead
of a Unix level "chmod ...".
Do things have to be spelled out so goddamn clearly? Can't people think
for a few seconds and see if there is another way before giving up?
I blame the prevalence of Windows and GUI IDEs. People can only
"click". They can't "think" anymore...
[1]: http://sitaramc.github.com/gitolite/doc/2-admin.html#gwd
apparently people run it from cron, so this causes a silly one-line
email saying just "Already on master"
thanks to shruggar on #git for pointing out to me that it is quite safe
to use --quiet and will not lose any actual error messages :)
- allow a mob username to be defined; all unauthenticated access will
look to gitolite like this user (if you setup apache also properly)
- update doc with more details (some repeat stuff from `man
git-http-backend` but it's probably worth having everything in one
place
Fedora's config has over 11,000 repositories and the compiled config
file is over 20 MB in size. Although negligible on a server class
machine, on my laptop just parsing this file takes a good 2.5 seconds.
Even if you use GL_ALL_READ_ALL (see a couple of commits before this
one) to remove the overhead for 'read's, that's still a pretty big
overhead for writes. And GL_ALL_READ_ALL is not really a solution for
most people anyway.
With this commit, using GL_BIG_CONFIG adds another optimisation; see
doc/big-config.mkd for details (look for the word "split config" to find
the section that talks about it).
----
Implementation notes:
- the check for GL_NO_CREATE_REPOS has moved *into* the loop (which it
completely bypassed earlier) so that write_1_compiled_conf can be
called on each item
Fedora (for example) runs like this:
* each user has his own userid and login
* his/her ~/.ssh/authkeys file (containing only his/her key) has a
"command=" clause invoking just "gl-auth-command"
* trusted users have "gl-auth-command -s" meaning they can get a shell if
they want to
As a result, there is no specific $HOME where you can look for
.gitolite.rc. Hence this patch
----
Side note: in addition, Fedora may have one or more of the following
characteristics (writing them here for convenience; they're not directly
relevant to this patch):
* actual git repos are under "git" (or some such), and include the chmod g+s
(git init --shared) unix perms tricks for shared access
* but since they're coming through gl-auth, branch-level acls are in effect
* the gitolite config file is generated from some database and compiled (all
via cron)
* they keydir/ is empty; in fact they probably don't use the admin repo at
all, AFAIK
For sample code see new file contrib/adc/get-rights-and-owner.in-perl.
Despite the name, you can use similar code in a hook also -- comments in
that file will tell you how.
implementation notes:
- check_access now takes an optional last arg "dry_run", which is also
passes through to check_ref
- check_ref returns a "DENIED by ..." instead of die-ing if dry_run is
passed in
- as a side effect, cli_repo_rights is now just a stub calling
check_access (we kept it hanging around for backward compat -- too
much adc pain for too many people if we change it now)
perm categories (like READERS and WRITERS, or whatever you put in your
$GL_WILDREPOS_PERM_CATS) are *supposed* to "have no pubkeys"; don't warn
about them
thanks to Joe Schaefer at the ASF for catching it. Note that this new
pattern *may* be too restrictive -- if you're using this feature and
have a problem with the new pattern please email me.
See email to gitolite mailing list around this date (2010-11-28) for
more details.
They don't work if someone calls the script for example
su - gitolite -c gl-setup <key>
from a directory where "gitolite" user does not have permissions (e.g.
0700), then 'cd $od' fails and we stay in gitolite's $HOME.
[commit message changed by committer; author was more polite ;-)]