From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id GKMtIZhgEmMZJgEAbAwnHQ (envelope-from ) for ; Fri, 02 Sep 2022 21:59:20 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id cBMLIZhgEmNT2AAAauVa8A (envelope-from ) for ; Fri, 02 Sep 2022 21:59:20 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 245923C0EC for ; Fri, 2 Sep 2022 21:59:20 +0200 (CEST) Received: from localhost ([::1]:59716 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oUCov-0007jf-Oc for larch@yhetil.org; Fri, 02 Sep 2022 15:59:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55748) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oUCog-0007jU-57 for bug-guix@gnu.org; Fri, 02 Sep 2022 15:59:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51759) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oUCof-0002bK-SV for bug-guix@gnu.org; Fri, 02 Sep 2022 15:59:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oUCof-0002iT-Ie for bug-guix@gnu.org; Fri, 02 Sep 2022 15:59:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#25957: gitolite broken: created repositories keep references to /usr/bin for hooks Resent-From: "Thompson, David" Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 02 Sep 2022 19:59:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 25957 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Efraim Flashner , "Thompson, David" , zimoun , 25957@debbugs.gnu.org Received: via spool by 25957-submit@debbugs.gnu.org id=B25957.166214871110404 (code B ref 25957); Fri, 02 Sep 2022 19:59:01 +0000 Received: (at 25957) by debbugs.gnu.org; 2 Sep 2022 19:58:31 +0000 Received: from localhost ([127.0.0.1]:40458 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oUCoA-0002hk-6P for submit@debbugs.gnu.org; Fri, 02 Sep 2022 15:58:30 -0400 Received: from mail-lf1-f42.google.com ([209.85.167.42]:40847) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oUCo7-0002hV-Dl for 25957@debbugs.gnu.org; Fri, 02 Sep 2022 15:58:28 -0400 Received: by mail-lf1-f42.google.com with SMTP id bq23so4748014lfb.7 for <25957@debbugs.gnu.org>; Fri, 02 Sep 2022 12:58:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=worcester-edu.20210112.gappssmtp.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date; bh=KQ1Zw8Grw7BhNjWYhipUKTQhLTxtH1UoRvXr7kvStbE=; b=v3ry7E6XHsaGjKyBlfCOxjAvuhZ18wOfeRgft8efYRmL4sSHOtc/E/Sjnq+f/CQ7fd PjQJWtNZUXr5ufV8fTOIeHz/a1KIjOlms2D6rlaXQAlsxb7iE8VwcaamZnPSmPA1HVbw aEmNBgC9xifk0n6+n3j+zknoKE9nJkVd4ibr81vz/ButpoF1VEJEHMPDICVy1MObTljm bO+iag5WRF8YRlNWC5zc6FSyAn4iODBQ3NGHJStB6ce93zfHIF1F97CoyFiTbJv94yVm QibVrztVdrotDvLDLb1tYogZ/wrtskSVOjz2xzF4qctKFeqgPaJZdgDeTTPSkJ5n+SR3 lIKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date; bh=KQ1Zw8Grw7BhNjWYhipUKTQhLTxtH1UoRvXr7kvStbE=; b=g79E2PeD9MQ0zTJsKsSTMlRsV17JYm+tXun8TEYgpXeyUE2VZyIoFUPOx2Nv75mInE /MhC17zjMSM6olSjZSmpFnFU7HAdvcFS2RummR8tY5WLxl0z3WeTONVkEJC+ICRqtv8y n1q9bI3D0Rd8QioiTcXvB+QEIYoehxEhboKN5eBXlmjwDhYXk8dlUJ4qr+SRDqYj3OG9 q3BsRoyhnD0EbWcUVsh8My2MwEoithP9Isn1M7QxtjbiSN8jvvRow8Nyj5RVpTtEy10s so6GkuitLP28U49E3HgoikXsUJq6QDKaa3F6gg1IbRFUEC7hFE6oG2wc38n5XaL5TWvj iASg== X-Gm-Message-State: ACgBeo1nGViwBUMkIjoCWSIphcRBjc/Sq0O0ExEoNErr7KNj3w3dJSg9 mrjZRnPCqemL1T0g1+jbKFe+vLT6fe1gsmlWiMOGLA== X-Google-Smtp-Source: AA6agR4s6H2Yuv//nEYwaJaa8Xq6ECIkRMeRN8GkRkIq+s2oRcQp1Pdm0+1R+gbL/R/UjjGsJyp6+PiYXWrOeUFiwzE= X-Received: by 2002:a05:6512:b12:b0:492:daa9:75ea with SMTP id w18-20020a0565120b1200b00492daa975eamr14479476lfu.297.1662148701228; Fri, 02 Sep 2022 12:58:21 -0700 (PDT) MIME-Version: 1.0 References: <8635l01x7a.fsf@gmail.com> <86lex10wwr.fsf@gmail.com> <6a325301e7cc55ee08652c67e49c3eb8a0802baa.camel@telenet.be> In-Reply-To: From: "Thompson, David" Date: Fri, 2 Sep 2022 15:58:09 -0400 Message-ID: Content-Type: multipart/mixed; boundary="000000000000e6dad605e7b7261a" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1662148760; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=KQ1Zw8Grw7BhNjWYhipUKTQhLTxtH1UoRvXr7kvStbE=; b=i4rlT56JIl0OByswqs/LkVzgNBjD2ae76d4OgYDg1y5qswXSFQVWcRXShn0RhY1nc2wJf7 W5q2qrGaB413SJ6neXKP3k6JUbcbUDdl3B59WMn216V/DKlEoRYabsNbRhqeiQ0x2JEGw8 5myaCZn4lxfbNyz7e8LsZYMkxuNWZj+wXQ7Aw4Ht3/kMupckVZpAXqK/eVRDVfAi+vwv3J 9WSoQh4UCE5nUDeoI7paPUAawTyEcluEDKJIVa8yge8qjzSQRj4iAPw9gA1vNHMO/1jV7n Yggxx/fu5gok35Y1aBRIOdtqUVfjeGnSX9R09vjVR8W1QwZ/yijGZv5j1f4/Qw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1662148760; a=rsa-sha256; cv=none; b=Q/MsagthlIINsTvPGRZzFd5IUvPS5EZQmxNuxEHyCaidbkqLET+YUbTDtPfZts6avMHfuT 4ENX/4684ppHoANpWspO6/X/ldonVdUPdBT1Hr19f0Ggbaaa9v3EUb5k84G3nAwe5ai8jf hvBjj3RD+EScZHlLP5sE/4yvn0/kErY+9AWroOtSKxkqLiwNoUOhCRLIlWZ2Mes5cOOAX4 /ULFDIZfaPgmmzNxeb1nFReWIpTgshYRDqqsppTp87ECNcUPp5fdxY6jMWxzMaIL7qOaXP sX4AIZWzT7fdumNhOC795lzpPD91TozTfF7QsNZUEg3Qs5etFKpq///YLKPBMQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=worcester-edu.20210112.gappssmtp.com header.s=20210112 header.b=v3ry7E6X; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 5.33 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=worcester-edu.20210112.gappssmtp.com header.s=20210112 header.b=v3ry7E6X; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 245923C0EC X-Spam-Score: 5.33 X-Migadu-Scanner: scn1.migadu.com X-TUID: 8CHSvQiQ7N1x --000000000000e6dad605e7b7261a Content-Type: text/plain; charset="UTF-8" On Fri, Sep 2, 2022 at 8:50 AM Thompson, David wrote: > > On Fri, Sep 2, 2022 at 8:44 AM Efraim Flashner wrote: > > > > On Fri, Sep 02, 2022 at 07:11:54AM -0400, Thompson, David wrote: > > > On Fri, Sep 2, 2022 at 3:00 AM Efraim Flashner wrote: > > > > > > > > I took a look at the gitolite service finally and I hadn't realized > > > > there wasn't a running daemon to containerize. I assumed we could do > > > > something like: > > > > > > > > (start $~(make-forkexec-constructor/container > > > > (list ...) > > > > #:environment-variables > > > > '("PATH=...") > > > > #:mappings ...)) > > > > > > > > Given that's not the case then I'd need to look at gitolite itself to > > > > see how it calls the other binaries it expects to be available, and if > > > > wrapping it would be enough or if we would need to just propagate the > > > > other packages for functionality. > > > > > > Gitolite simply expects tools like git to be on $PATH. It's a pretty > > > naive system, there's nothing like a configure script that is > > > determining the absolute file name of these tools and substituting > > > those names into the built files. > > > > > > The executable is already wrapped so that coreutils, findutils, and > > > git are on $PATH, but notably not openssh: > > > > > > (add-after 'install 'wrap-scripts > > > (lambda* (#:key inputs outputs #:allow-other-keys) > > > (let ((out (assoc-ref outputs "out")) > > > (coreutils (assoc-ref inputs "coreutils")) > > > (findutils (assoc-ref inputs "findutils")) > > > (git (assoc-ref inputs "git"))) > > > (wrap-program (string-append out "/bin/gitolite") > > > `("PATH" ":" prefix > > > ,(map (lambda (dir) > > > (string-append dir "/bin")) > > > (list out coreutils findutils git))))))) > > > > > > However, git and openssh are still propagated inputs. I'm going to > > > move the propagated inputs to regular inputs, potentially add openssh > > > to the wrapper once I remind myself what gitolite does with those > > > tools, and test it all out on my server using the gitolite service. > > > If that all works, we have a good starting point for adding extension > > > support in the service. > > > > I like it. Let us know how it goes. > > The problem is that gitolite generates git hooks for the repositories > that it manages, and those hooks invoke git, so the only way those > scripts will be able to work (without input propagation) is to find a > way to inject the proper PATH or find a way to replace references to > things like 'git diff' with '/gnu/store/.../git diff'. I'm going to > keep exploring and report back when I have something to show. After several rounds of experimentation and breaking my git server a few times, here's what I've found: * Changing git and openssh to be regular inputs and wrapping both gitolite and gitolite-shell with a $PATH that contains git works and it's very little extra code. * Trying to replace every invocation of a git command took a lot of grepping and crafting of regexps to use for substitute* and I never got to a point where the result wasn't buggy. In particular, gitolite-shell never worked properly so I couldn't push to my repos. So, I think the simple wrapper approach is the way to go. Patch attached. I tested on my git server by making changes to my gitolite configuration and pushing those changes to the special gitolite-admin repo. This causes gitolite to refresh internal configuration using a git hook, so I know that hooks can find the executables they need. That plus the 'gitolite setup' invocation made by the service activation script covers a fair amount of surface area, so I feel comfortable committing it. What do you think? Once this part is done, I'll turn my attention to the optional extensions. - Dave --000000000000e6dad605e7b7261a Content-Type: text/x-patch; charset="US-ASCII"; name="0001-gnu-gitolite-Wrap-programs-instead-of-using-propagat.patch" Content-Disposition: attachment; filename="0001-gnu-gitolite-Wrap-programs-instead-of-using-propagat.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_l7kw9jmj0 RnJvbSA0MTNmMmQyOGFhOGJlYTIyNzRiNzRjMmI1NzRmYjlmOGJmOWMxNmJhIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBEYXZpZCBUaG9tcHNvbiA8ZHRob21wc29uMkB3b3JjZXN0ZXIu ZWR1PgpEYXRlOiBGcmksIDIgU2VwIDIwMjIgMTQ6MzM6MDEgLTA0MDAKU3ViamVjdDogW1BBVENI XSBnbnU6IGdpdG9saXRlOiBXcmFwIHByb2dyYW1zIGluc3RlYWQgb2YgdXNpbmcgcHJvcGFnYXRl ZAogaW5wdXRzLgoKKiBnbnUvcGFja2FnZXMvdmVyc2lvbi1jb250cm9sLnNjbSAoZ2l0b2xpdGUp W2FyZ3VtZW50c106IEFkZCBnaXQgdG8gd3JhcHBlZAokUEFUSCBhbmQgYWRkaXRpb25hbGx5IHdy YXAgZ2l0b2xpdGUtc2hlbGwuCltpbnB1dHNdOiBBZGQgZ2l0IGFuZCBvcGVuc3NoLgpbcHJvcGFn YXRlZC1pbnB1dHNdOiBSZW1vdmUgaXQuCi0tLQogZ251L3BhY2thZ2VzL3ZlcnNpb24tY29udHJv bC5zY20gfCAxOCArKysrKysrKy0tLS0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA4IGluc2VydGlv bnMoKyksIDEwIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2dudS9wYWNrYWdlcy92ZXJzaW9u LWNvbnRyb2wuc2NtIGIvZ251L3BhY2thZ2VzL3ZlcnNpb24tY29udHJvbC5zY20KaW5kZXggMTVh OTI3OGZlOC4uMWM3NzU5MzJjMCAxMDA2NDQKLS0tIGEvZ251L3BhY2thZ2VzL3ZlcnNpb24tY29u dHJvbC5zY20KKysrIGIvZ251L3BhY2thZ2VzL3ZlcnNpb24tY29udHJvbC5zY20KQEAgLTE1NzMs MTcgKzE1NzMsMTUgQEAgKGRlZmluZS1wdWJsaWMgZ2l0b2xpdGUKICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAoY29yZXV0aWxzIChhc3NvYy1yZWYgaW5wdXRzICJjb3JldXRpbHMiKSkKICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAoZmluZHV0aWxzIChhc3NvYy1yZWYgaW5wdXRzICJm aW5kdXRpbHMiKSkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoZ2l0IChhc3NvYy1yZWYg aW5wdXRzICJnaXQiKSkpCi0gICAgICAgICAgICAgICAgICAgICAgICAod3JhcC1wcm9ncmFtIChz dHJpbmctYXBwZW5kIG91dCAiL2Jpbi9naXRvbGl0ZSIpCi0gICAgICAgICAgICAgICAgICAgICAg ICAgIGAoIlBBVEgiICI6IiBwcmVmaXgKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAsKG1h cCAobGFtYmRhIChkaXIpCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoc3Ry aW5nLWFwcGVuZCBkaXIgIi9iaW4iKSkKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAobGlzdCBvdXQgY29yZXV0aWxzIGZpbmR1dGlscyBnaXQpKSkpKSkpKSkpCisgICAgICAgICAg ICAgICAgICAgICAgICAoZm9yLWVhY2ggKGxhbWJkYSAoZmlsZS1uYW1lKQorICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgKHdyYXAtcHJvZ3JhbSAoc3RyaW5nLWFwcGVuZCBvdXQg ZmlsZS1uYW1lKQorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBgKCJQQVRI IiAiOiIgcHJlZml4CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLCht YXAgKGxhbWJkYSAoZGlyKQorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgKHN0cmluZy1hcHBlbmQgZGlyICIvYmluIikpCisgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgKGxpc3Qgb3V0IGNvcmV1dGlscyBmaW5kdXRpbHMg Z2l0KSkpKSkKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnKCIvYmluL2dpdG9s aXRlIiAiL2Jpbi9naXRvbGl0ZS1zaGVsbCIpKSkpKSkpKQogICAgIChpbnB1dHMKLSAgICAgKGxp c3QgYmFzaC1taW5pbWFsIHBlcmwgY29yZXV0aWxzIGZpbmR1dGlscyBpbmV0dXRpbHMpKQotICAg IDs7IGdpdCBhbmQgb3BlbnNzaCBhcmUgcHJvcGFnYXRlZCBiZWNhdXNlIHRyeWluZyB0byBwYXRj aCB0aGUgc291cmNlIHZpYQotICAgIDs7IHJlZ2V4cCBtYXRjaGluZyBpcyB0b28gYnJpdHRsZSBh bmQgcHJvbmUgdG8gZmFsc2UgcG9zaXRpdmVzLgotICAgIChwcm9wYWdhdGVkLWlucHV0cwotICAg ICAobGlzdCBnaXQgb3BlbnNzaCkpCisgICAgIChsaXN0IGJhc2gtbWluaW1hbCBnaXQgcGVybCBj b3JldXRpbHMgZmluZHV0aWxzIGluZXR1dGlscyBvcGVuc3NoKSkKICAgICAoaG9tZS1wYWdlICJo dHRwczovL2dpdG9saXRlLmNvbSIpCiAgICAgKHN5bm9wc2lzICJHaXQgYWNjZXNzIGNvbnRyb2wg bGF5ZXIiKQogICAgIChkZXNjcmlwdGlvbgotLSAKMi4zNy4yCgo= --000000000000e6dad605e7b7261a--