From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id SPReBR+tEWP8UAAAbAwnHQ (envelope-from ) for ; Fri, 02 Sep 2022 09:13:35 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id 8GqaBR+tEWOr8wAA9RJhRA (envelope-from ) for ; Fri, 02 Sep 2022 09:13:35 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 728EA29A9A for ; Fri, 2 Sep 2022 09:13:34 +0200 (CEST) Received: from localhost ([::1]:36560 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oU0rt-0003PS-4n for larch@yhetil.org; Fri, 02 Sep 2022 03:13:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57484) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oU0fn-0007PZ-LV for bug-guix@gnu.org; Fri, 02 Sep 2022 03:01:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:54922) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oU0fn-0007i4-Aq for bug-guix@gnu.org; Fri, 02 Sep 2022 03:01:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oU0fm-0007gY-5k for bug-guix@gnu.org; Fri, 02 Sep 2022 03:01:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#25957: [EXT] Re: [EXT] bug#25957: gitolite broken: created repositories keep references to /usr/bin for hooks Resent-From: Efraim Flashner Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 02 Sep 2022 07:01:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 25957 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: "Thompson, David" Cc: 25957@debbugs.gnu.org, Maxime Devos , zimoun Received: via spool by 25957-submit@debbugs.gnu.org id=B25957.166210200929453 (code B ref 25957); Fri, 02 Sep 2022 07:01:02 +0000 Received: (at 25957) by debbugs.gnu.org; 2 Sep 2022 07:00:09 +0000 Received: from localhost ([127.0.0.1]:44671 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oU0eu-0007ey-Gq for submit@debbugs.gnu.org; Fri, 02 Sep 2022 03:00:09 -0400 Received: from mail-wm1-f49.google.com ([209.85.128.49]:40902) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oU0es-0007cs-8U for 25957@debbugs.gnu.org; Fri, 02 Sep 2022 03:00:07 -0400 Received: by mail-wm1-f49.google.com with SMTP id h204-20020a1c21d5000000b003a5b467c3abso2760411wmh.5 for <25957@debbugs.gnu.org>; Fri, 02 Sep 2022 00:00:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender:from:to :cc:subject:date; bh=gl23N613o5DcERzNEvTZ54KPAZK36B7TZsMf9nTaPT8=; b=aPHrCV1AdwZcjNDBOLOutulnfOtTJt0KzNV1emBAP68LKKqkE1klmnWgaI62F3fCL9 Ce0p9fNKSuD8BdKwdl2ATv+hwcs1l6Hzx9Y640yP6ZMTH2WAg4lXbEpJXkwsbsC8RuNk hlI0eXEyP+jVyrPBLgMoKCcAa8UU6Vu5+bFRd16oFXAA7z+UdmPxdNnv2BjiiCXrD5i+ mkxZkC7afqC114MfvPhffQ6PgjRqrMA9KJu7Uob9chmxEHZ9SBWrmcZBjfJiMfl3CzNG Y/GXTTZ5x3HXOB5qJSEhtQ2K44NcT0Cj0mGKwIE/inDnrKR1NWvg4Xx4ZBUAvQ1TaVeA zHgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender :x-gm-message-state:from:to:cc:subject:date; bh=gl23N613o5DcERzNEvTZ54KPAZK36B7TZsMf9nTaPT8=; b=ukED455myBERBEhqGlgn+5rjwq1Yo+QH56ZqwoxxBEsQgoUxT4s1p0np71YCOGxhe1 8Ix391ItUbjWivmBlHGxnFnBkMmd1hbhUbzSaOPcKAi8y5RB50E8cPoL/vOWQJw85h1O QE9YjE77Gx1OUNVnOIPJ5JZHUFMoryAXVJ0KJFIi/cOr/snDN7TJJM/hov3yvEcq67I8 R5UGGx4FkBQDaVU2iEr72aOzr1afsca1NwPV8k6zLfthhZnEqeA2A8ODIRbezcpKryL5 pEwj4LWIKBBFbunJVpq6ENnf0d96k9LsjqJCmtVSwagOgcE8ezx3+GqW7IyarlGBtPP6 02WA== X-Gm-Message-State: ACgBeo3KGFaGn4fVEpINf5+q2Y8dVtTfM4g0nBo2gaFLyO1cgmQXRjQ7 Jy113INg1qvMDecaEPr5hpM= X-Google-Smtp-Source: AA6agR7RViISeHxw2fT2KYlckDSu9zUzNa0PtMsWqrzEi+opcy6dyyga2W8GEp6VHnAcvKTS9+etYQ== X-Received: by 2002:a05:600c:3781:b0:3a6:804a:afc with SMTP id o1-20020a05600c378100b003a6804a0afcmr1661588wmr.27.1662102000254; Fri, 02 Sep 2022 00:00:00 -0700 (PDT) Received: from localhost ([141.226.13.1]) by smtp.gmail.com with ESMTPSA id g26-20020a7bc4da000000b003a54f49c1c8sm1226924wmk.12.2022.09.01.23.59.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 Sep 2022 23:59:59 -0700 (PDT) Date: Fri, 2 Sep 2022 09:56:49 +0300 From: Efraim Flashner Message-ID: Mail-Followup-To: Efraim Flashner , "Thompson, David" , Maxime Devos , zimoun , 25957@debbugs.gnu.org References: <20170304133242.towlmzdcm6x43hvi@abyayala> <86k0ff9has.fsf_-_@gmail.com> <8635l01x7a.fsf@gmail.com> <86lex10wwr.fsf@gmail.com> <6a325301e7cc55ee08652c67e49c3eb8a0802baa.camel@telenet.be> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="VYaaI6pqkucRAJLI" Content-Disposition: inline In-Reply-To: X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1662102814; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=gl23N613o5DcERzNEvTZ54KPAZK36B7TZsMf9nTaPT8=; b=bfBabAepEljeC8CHE4NaNcePdjdd2VrYE1AFsqM5eswhiouJYBu7cqILPvlglDz9Je7DCf blDf5LphbXqyGDLaqMNKNew7KYvGap6SdJejwFx5y81jd+gaap9D7ZxlEs7QycuQqRdriz GehOcdG76VGzk8ohI1l5++agFJWz5JeNFJeBhTCWfn2ka4DS28PVIfmcgn85FJNEbAsc+b 8ejUxmm7rJyyrgDMOnCq8lWHrd0tfVxzx5j5C1IaWqHvJGzjJdWckoZPOEo0U7x7h2S6jX n/U/DMKfI8PxRZLopF04OaBip+fip10XK1zSyMDpSEYRFlLpuErNepCd08/Xfg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1662102814; a=rsa-sha256; cv=none; b=ACWCcKLRCt92NUrk/wj7PphYF2lHv7E5rDwIQDF4vuQjlWWSJtdpf4puE5x336rQ2wmk2k d5loce/adKed6j8aLaYbq/+0yI4IfZ86/9A7upvSi3vB0eqYY4AhnNKkaCauxthqP4ldfC qwqKHNuHCgu4UB1uXDoynPpnFvjjgref3fOMYQNjpdBDijenb2yEpybfUX3CcpGKNQEzRI vK8EkfX/3cJHohrjFvxyeVUS71lxf/tdu70VqF+XvT6UjRn+UB4gM+e3JHcWBO7KPOmxfd 041gcxqwuweihdG09Ww20iJWpubCQycJQS8pc/5U/NBG/tiKZ/4ujSklC2jxFw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=aPHrCV1A; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 1.13 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=aPHrCV1A; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 728EA29A9A X-Spam-Score: 1.13 X-Migadu-Scanner: scn1.migadu.com X-TUID: k1cYU6GtukbQ --VYaaI6pqkucRAJLI Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 01, 2022 at 10:41:21AM -0400, Thompson, David wrote: > Hi Efraim, >=20 > On Thu, Sep 1, 2022 at 10:20 AM Efraim Flashner w= rote: > > > > On Thu, Sep 01, 2022 at 09:59:55AM -0400, Thompson, David wrote: > > > Hi all, > > > > > > Reviving this old thread. > > > > > > On Mon, Mar 28, 2022 at 2:51 AM Efraim Flashner wrote: > > > > > > > > > > Seems like all we have to do is 'substitute*' a '/usr/bin/svnserv= e' > > > > > into a '/gnu/store/...' (untested), so seems actionable to me. > > > > > Alternatively, as Efraim wrote, let it search the $PATH (that mig= ht be > > > > > useful if adding svnserve would increase the closure too much and= it is > > > > > an optional dependency in practice?). > > > > > > > > I spent some time looking at gitolite and the service. As I underst= and > > > > it, with the exception of svnserve, it searches $PATH for a number = of > > > > different binaries, including git-annex. I believe that this would = only > > > > work if git-annex (and potentially other packages) are installed > > > > globally. > > > > > > > > In addition, git (not git-minimal) and openssh are propagated input= s AND > > > > wrapped. I haven't tested to see if wrapping only is enough. > > > > > > > > I think the best choice is to: > > > > A: Replace /usr/bin/svnserve with svnserve so it will just search $= PATH, > > > > like it does with the other helpers. > > > > > > I see that you have done this. Thanks! We could also replace the > > > reference to /usr/sbin/redis-server in src/lib/Gitolite/Cache.pm. > > > That's the only other /usr reference I can find (that isn't in a > > > comment) in the output. I have the patch ready if that sounds good to > > > you. > > > > Sounds good to me >=20 > Thanks, pushed as commit c053dfa52dc778eb3d965f58a85c435ae7fab0dd. >=20 > > > > B: Adjust the service so that it automatically creates a variant (or > > > > just a wrapped version) of the package which is wrapped with a list= of > > > > additional packages so that they can be in gitolite's path. If I we= re > > > > deploying this to an arm device I wouldn't want it wrapped with > > > > git-annex since it doesn't build, but would definitely want it for = an > > > > x86_64 machine. > > > > > > The service configuration record could accept a list of addons like > > > '(git-annex cache svnserve), with a default of no addons '(), and > > > create a package that extends the gitolite package with the > > > appropriate propagated inputs. Does that sound like what you had in > > > mind? A more robust solution could modify the build to hardcode the > > > store paths needed for the add-ons but given that we already propagate > > > git and openssh I don't think it's necessary right now. > > > > Assuming this is deployed into some sort of container then propagated > > inputs wouldn't help much, we'd need either the PATH for the container > > to be extended to include those extra packages or to have gitolite > > itself wrapped similar to icedove/wayland. Just extending the PATH in > > the #:environment-variables would be enough I'd think. >=20 > Hmm, I hadn't thought about the container use case. Your approach > sounds like the way to go. For what it's worth, I think the gitolite > service as-is would suffer the same issue in a containerized > environment because it relies upon the git and openssh propagated > inputs to do anything at all. With the gitolite service in my system, > /run/current-system/profile/bin has both git and ssh in it due to the > propagation. So it sounds like there's 2 steps needed: 1) Use a > wrapper like icedove/wayland for the base gitolite package so that git > and openssh no longer need propagation, and then 2) extend the > gitolite service to wrap up additional packages needed for the desired > extensions. Sound good? >=20 > > > > I suppose we should try to find someone who is using the gitolite > > > > service and see if they can be our test subject for wrapping the pa= ckage > > > > with optional addons. > > > > > > I use the gitolite service and can be the test subject. I don't > > > currently use any add-ons, but the redis one sounds easy enough to try > > > and hey maybe it's a good excuse to finally learn how to use > > > git-annex. > > > > > > As a longer term thing, it would be cool to revisit propagating git > > > and openssh in this package. I punted on it back in 2015 for the > > > reason stated in the source comments but maybe there's a reasonable > > > and reliable way to directly embed the store paths now. > > > > It's actually been forever since I looked at gitolite so I don't know > > remember what those inputs were needed for, but it'd be great to improve > > the service. >=20 > Are you referring to git and openssh or redis, svnserve, git-annex, > etc.? I'm no expert and I really don't like Perl, but I know gitolite > well enough to explain some of this stuff. >=20 > > Interestingly, I almost have a working ghc-8.6 for aarch64 after all > > these years. >=20 > Some things move at a glacial pace, but eventually they get done. > Best of luck wrapping that up. :) I took a look at the gitolite service finally and I hadn't realized there wasn't a running daemon to containerize. I assumed we could do something like: (start $~(make-forkexec-constructor/container (list ...) #:environment-variables '("PATH=3D...") #:mappings ...)) Given that's not the case then I'd need to look at gitolite itself to see how it calls the other binaries it expects to be available, and if wrapping it would be enough or if we would need to just propagate the other packages for functionality. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --VYaaI6pqkucRAJLI Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmMRqS4ACgkQQarn3Mo9 g1GJmw//ZKP6b51L8skZwo84dNH4hRRRG4wee4pIPts+EtKaop6g0j2JVvTQTJ7k 0SuBySy6TUTokrNjLpiW0KgqSV5/UZLHqDV8W+an5hC0nxKj/7cux9Qaj1QcZXgq x5DBlBE7y5XLGmxFtqz/BrdmfINAeuh7xlLxOg0YHxwISQ6XwRlC3X1OGliSTc7d pCZC+zY0FloethSoFuSy+TWBO3yxm/aE5IevXSGFfjMreD45ma48C5AGwEH5je0C ghytFcrZxolEelYJdRi62oFsVaQSYnUQKbssyh0E3KigOLDwuLnARmq5NzRyvt4W N48ViseelBDSeR57Gs7gM+sY5AZQxBSjbesgqEVVGEklwnJTMqecDCP1KxQJI5nz ywf8FOgQxx0+6Loa5opPumXJRl2QxPs++1aPXsMP+Km5KnDfl6ZjrhASA4JLOm4n ZrPvHBHnFKj4HGbBdwK2gx6mbziIpFvmxrsYfdPr04YOYpfMJv/vA9OUC7DAiVmF ncewfG4BAWlofkFKYOYZ9lYCKWZm2xKvYLFnQp5+s0LAMBoaENM5rGpM/7xF+mNJ bE++fi1JtMK/h15iKJtGaqR9DYi5GZvNEf+bdRjT7u2kP2hbmQUbqSLFwO1nUw0G xyjhJ0TgNWHp+rTOWMgPF5BuVm0JUvLq5CMDKbbVZvOc48UCWIs= =7wb3 -----END PGP SIGNATURE----- --VYaaI6pqkucRAJLI--