gitolite/doc/developer-notes.mkd
Sitaram Chamarty 42df4c01a9 gl-dont-panic replaced by more generic gl-admin-push
(sorry Douglas Adams; the "towel day" program is no more!)
2011-07-13 22:29:44 +05:30

7.5 KiB

developer/patch maintainer notes

In this document:


current development version

The current gitolite development version is v2.0rc1. Unless there is a serious security problem, or one of my large users [i.e., anyone whose name is in doc/who-uses-it.mkd (grin!)] needs it, all future changes will now happen here.

The commit looks huge, but it's mostly just large chunks of code moving around; there's not a whole lot of new code. However, I do apologise if anyone has their local changes conflicted when merging or rebasing against this version, and I promise to help as much as I can.

testing status of gitolite v2.0rc1

Pretty much all the major features have been properly tested using the test suite. The following exceptions exist:

  • basic, manual, testing only
    • most admin defined commands
    • smart http
    • mob branches
  • not yet tested
    • mirroring
  • things which I have no easy way to test
    • controlling gitweb authentication using gitolite (as described here)
    • SVN passthru

migration to gitolite v2.x

In general, the procedure for migrating described in the install document should suffice. Even the rc file hasn't really changed much from the latest versions in v1.x, except that if you add a new variable to it you must also add it to the @EXPORT list in src/gitolite_rc.pm.

general stuff

  • all scripts and libraries must be in the same directory. However, RPM/DEB packagers can put the libraries where they want, as long as they can be found in perl's default @INC.

  • gl-auth-command requires an actual ~/.gitolite.rc (except if your initials are "JK" or "DG", in which case /etc/gitolite/gitolite.rc also works!) It knows how to look around and set env vars etc correctly

  • all programs except gl-auth-command require the environment variables GL_RC and GL_BINDIR set properly. Your best bet is to run them via gl-auth-command, like so:

    path/to/gl-auth-command -e other_program other_program_arguments
    

    In any case none of these programs are meant to be run manually -- pretty much all of them are run via gl-auth-command or from something that was forked from it so the variables will exist during normal operation.

the rc file

The 'rc' file has one major change from v1: any new values in the rc file need to be added to the @EXPORT list in src/gitolite_rc.pm.

modules

There are 3 "modules" (gitolite_rc, gitolite_env, and gitolite itself). Their purposes should be fairly obvious.

that 'bindir' thing

The importance of GL_BINDIR is that the command= argument in ~/.ssh/authorized_keys must be a full path, ideally, and the compile script gets this from GL_BINDIR.

from perl

  • for frequently run perl programs, I prefer my method

    • gl-auth-command -- this is invoked with a full path
    • gl-time -- same as above
  • "their" ideal is "FindBin". I will use it only on manually or infrequently run programs

    • gl-setup-authkeys (external shim to compile keys separately from PTA)

from shell

  • a perl program called gl-query-rc finds its own BINDIR (using my perl method, not FindBin). This is suitable for calling from shell scripts as ${0%/*}/gl-query-rc GL_BINDIR

    • gl-mirror-shell (frequent use)
    • gl-setup
    • gl-tool

OUTLIER!

  • gl-admin-push is an outlier. For some silly reason I have the notion that even if it runs from /tmp it should get the right values, so it is the only one that interrogates ~/.ssh/authorized_keys to get the actual BINDIR in use!

special types of setups

Fedora

Fedora has a very special setup, as follows:

  • each user has his own userid and login

  • his/her ~/.ssh/authkeys file (containing only his/her key) has a "command=" clause invoking gl-auth-command

  • trusted users have "gl-auth-command -s" meaning they can get a shell if they want to

  • actual git repos are under "git" (or some such), and include the chmod g+s (git init --shared) unix perms tricks for shared access

  • but since they're coming through gl-auth, branch-level acls are in effect

  • the gitolite config file is generated from some database and compiled (all via cron)

  • the keydir/ is empty; in fact they probably don't use the admin repo at all, AFAIK

The most important implication of this setup is that the RC file is no longer is $HOME of the 'git' user. They keep it in /etc/gitolite/gitolite.rc. This means that a properly setup rc file must already be present in /etc/gitolite/gitolite.rc before doing any such installs.


Why v2?

I went onto #perl to ask some question about setpriority() and got yelled at for writing "horrible code". And that was one of the kinder comments; my rather fragile ego is trying to forget the rest ;-)

They also gave me a link to a PDF book, "Modern Perl" by 'chromatic'. Nice book; one of the first things you learn from it is that you should not go to #perl for general help.

Anyway, the summary of the collective angst of #perl (well 2 people anyway) was: use Getopt::Long, FindBin, 'use lib', a library for HTTP stuff, stop prefixing subs with '&', and get rid of the huge number of 'our' declarations.

That last item is the only one I totally agree with, because it was on my long term todo list anyway. And 'use lib' sorta goes with it, so that's fine too. And as soon as I found that vim colors the sub names differently if you take out the '&' I decided I'd do that too :-) [But honestly, if &sub is so bad shouldn't "man perlsub" at least say something negative about it, other than "disables prototype checking", which doesn't matter here since I'm not using prototypes?]

As for the rest, FindBin brings in a good 1000+ lines for something that I do in a line or two (since I don't care about all the pathological edge cases). Getopt::Long is 2649 lines to replace the code below [note that there is only one possible option to this command, and it is never run manually either, so I don't need any fancy features]:

my $shell_allowed = 0;
if (@ARGV and $ARGV[0] eq '-s') {
    $shell_allowed = 1;
    shift;
}

Apparently TMTOWTDI has given way to TOOWTDI.

Anyway, I spent a few hours refactoring it. And I do thank them for pushing me to stop being lazy on the "our" business.