[Fusionforge-general] [RFC] Git over smart-HTTP

Sylvain Beucler - Inria sylvain.beucler at inria.fr
Mon Apr 14 11:20:00 CEST 2014


Le 11/04/2014 14:18, Roland Mas a écrit :
> Sylvain Beucler - Inria, 2014-04-09 16:17:11 +0200 :
>
>> Le 09/04/2014 15:28, Roland Mas a écrit :
>>>     In order to allow concurrent SSH + HTTP(S) access to Git repositories,
>>> I implemented a prototype using the MPM-ITK Apache2 module.
>> Great!
>>> It basically runs git-http-backend as a CGI when inside a specific vhost,
>>> under the identity of the user performing the request.
>> If it's just a CGI, we don't have to use mpm-itk.
>> Using something like mirabilos' gitweb for private projects,
>> sudo-based, also works :
>> http://lists.fusionforge.org/pipermail/fusionforge-general/2014-February/002572.html
>> (or a suPHP wrapper, or...)
>    Yes, it would also work.  This is a prototype, not meant to be the
> final implementation :-)
Yeah but let's still discuss how the fundamental technique is suitable 
or not for a final implementation :)
>> However the mpm-itk lead is interesting to investigate for dav_svn, or
>> other non-CGI needs.
>>> So that means that hooks and so on don't grant access to anything beyond what the user
>>> would have through SSH, yet they can clone and push even from
>>> restrictive networks.  The authentication/authorization part is managed
>>> by Apache with basic auth (userfile/groupfile) and a set of macros.
>> How about mod_auth_pgsql2 plugged on nss_usergroups? (in use at Inria)
>> No need to write the userfile/groupfile, no cron :)
>    Excellent idea.  For some reason I thought that this module was
> somewhat exotic, but since it's been available for years I guess I was
> mistaken.  Let's push that to round 2 of the implementation.
>
> [...]
>
>> First, let's note that this approach requires Apache 2.4
>> (http://mpm-itk.sesse.net/ says : |AssignUserIDExpr|,
>> |AssignGroupIDExpr| (/Apache 2.4 or newer only/)).
>> The patch configuration doesn't use IfVersion around these directives,
>> but they require 2.4. And of course, mpm-itk.
>    Yes.  It's rough and unfinished.
>
>> Depending on the next FF release's Apache target, we may need to make
>> this feature optionnal, hence write the packaging accordingly
>> (e.g. "a2enmod macro" optional or in a separate package).
>    That's a question we need to raise anyway: what do we target as
> dependencies for 6.0?  I'd be in favour of upgrading the versions for a
> few components (including Apache).
Depends on whether we make the release fast, and whether we require 2.4 
or 2.4-itk.
Let's discuss this on Friday.
>    I'll try polishing the patch and pushing it to a branch in my personal
> repo early next week (actually, two branches, one without the Debian
> packaging).

-- 
Sylvain



More information about the Fusionforge-general mailing list