From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chaitan Rogers Subject: building packages with git+ssh Date: Thu, 16 Feb 2017 01:17:29 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="_000_MEXPR01MB10933108392569D96E4CBF77F65A0MEXPR01MB1093ausp_" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58604) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ceAha-0006z8-2Y for guix-devel@gnu.org; Wed, 15 Feb 2017 20:17:42 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ceAhX-0006iZ-CX for guix-devel@gnu.org; Wed, 15 Feb 2017 20:17:42 -0500 Received: from col004-omc3s9.hotmail.com ([65.55.34.147]:63054) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ceAhW-0006i9-Rj for guix-devel@gnu.org; Wed, 15 Feb 2017 20:17:39 -0500 Content-Language: en-AU List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: "guix-devel@gnu.org" --_000_MEXPR01MB10933108392569D96E4CBF77F65A0MEXPR01MB1093ausp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, We are trying to build code that is stored in a internal repository that is= only accessible via git+ssh. This failed because openssh isn't included in= the set of inputs that are available to the cloning process. After speakin= g to "rekado" and others on IRC, I forked git-download.scm and modified it = to include ssh. This meant that git was able to invoke ssh successfully but= the process subsequently failed due to failed host key verification. Perha= ps with some hacking we may be able to convince ssh to ignore the host key = but we'll probably have more problems with keys / secrets etc that aren't i= n the jail. I also tried to get the package source into the jail by building with --wit= h-source. This almost worked but I noticed that the flag seems to apply to = the package being built but not any of its dependencies - i.e providing it = multiple times for dependent packages had no effect. Has anybody managed to clone code from a secure repo over ssh? I think this= would be a very useful feature especially in corporate environments. What'= s the best way forward from here? Cheers, Chaitan --_000_MEXPR01MB10933108392569D96E4CBF77F65A0MEXPR01MB1093ausp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hi,


We are trying to build code that is stored in a internal repository that= is only accessible via git+ssh. This failed because openssh isn't incl= uded in the set of inputs that are available to the cloning process. After = speaking to "rekado" and others on IRC, I forked git-download.scm and modified it to include ssh. This meant that = git was able to invoke ssh successfully but the process subsequently failed= due to failed host key verification. Perhaps with some hacking we may be a= ble to convince ssh to ignore the host key but we'll probably have more problems with keys / secrets etc tha= t aren't in the jail.


I also tried to get the package source into the jail by building with --= with-source. This almost worked but I noticed that the flag seems to apply = to the package being built but not any of its dependencies - i.e providing = it multiple times for dependent packages had no effect. 


Has anybody managed to clone code from a secure repo over ssh? I think t= his would be a very useful feature especially in corporate environments. Wh= at's the best way forward from here?


Cheers,


Chaitan




--_000_MEXPR01MB10933108392569D96E4CBF77F65A0MEXPR01MB1093ausp_-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: building packages with git+ssh Date: Mon, 06 Mar 2017 10:49:27 +0100 Message-ID: <87fuiqybtk.fsf@gnu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59172) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ckpGp-0002Ih-Ft for guix-devel@gnu.org; Mon, 06 Mar 2017 04:49:36 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ckpGk-0003oZ-M8 for guix-devel@gnu.org; Mon, 06 Mar 2017 04:49:35 -0500 In-Reply-To: (Chaitan Rogers's message of "Thu, 16 Feb 2017 01:17:29 +0000") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Chaitan Rogers Cc: "guix-devel@gnu.org" Hello, Sorry for the late reply. Chaitan Rogers skribis: > We are trying to build code that is stored in a internal repository that = is only accessible via git+ssh. This failed because openssh isn't included = in the > set of inputs that are available to the cloning process. After speaking t= o "rekado" and others on IRC, I forked git-download.scm and modified it to > include ssh. This meant that git was able to invoke ssh successfully but = the process subsequently failed due to failed host key verification. Perhaps > with some hacking we may be able to convince ssh to ignore the host key b= ut we'll probably have more problems with keys / secrets etc that aren't > in the jail. I think you could arrange to set =E2=80=98HOME=E2=80=99 in git-download.scm= (in the #~ expression that=E2=80=99s in there), and then populate ~/.ssh/known_hosts w= ith the relevant OpenSSH host public key (see =E2=80=98local-file=E2=80=99 for = how to intern a file into the store.) If that sounds obscure to you, we can discuss the details here starting from the patch you have. > I also tried to get the package source into the jail by building with --w= ith-source. This almost worked but I noticed that the flag seems to apply t= o the > package being built but not any of its dependencies - i.e providing it mu= ltiple times for dependent packages had no effect.=20 Right, currently --with-source only applies to the =E2=80=9Ctip=E2=80=9D (u= nlike --with-input, which rewrites the dependency graph recursively). We could change that or add a different option to do what you want. Either way it=E2=80=99s mainly a matter of using =E2=80=98package-input-rew= riting=E2=80=99 and shouldn=E2=80=99t be hard. Thoughts? Thanks, Ludo=E2=80=99.