building packages with git+ssh

building packages with git+ssh

[Chaitan Rogers]

[-- Attachment #1: Type: text/plain, Size: 1126 bytes --]

Hi,


We are trying to build code that is stored in a internal repository that is only accessible via git+ssh. This failed because openssh isn't included in the set of inputs that are available to the cloning process. After speaking to "rekado" and others on IRC, I forked git-download.scm and modified it to include ssh. This meant that git was able to invoke ssh successfully but the process subsequently failed due to failed host key verification. Perhaps with some hacking we may be able to convince ssh to ignore the host key but we'll probably have more problems with keys / secrets etc that aren't in the jail.


I also tried to get the package source into the jail by building with --with-source. This almost worked but I noticed that the flag seems to apply to the package being built but not any of its dependencies - i.e providing it multiple times for dependent packages had no effect.


Has anybody managed to clone code from a secure repo over ssh? I think this would be a very useful feature especially in corporate environments. What's the best way forward from here?


Cheers,


Chaitan




[-- Attachment #2: Type: text/html, Size: 1678 bytes --]

Re: building packages with git+ssh

[Ludovic Courtès]

Hello,

Sorry for the late reply.

Chaitan Rogers <chaitan_rogers@hotmail.com> skribis:

> We are trying to build code that is stored in a internal repository that is only accessible via git+ssh. This failed because openssh isn't included in the
> set of inputs that are available to the cloning process. After speaking to "rekado" and others on IRC, I forked git-download.scm and modified it to
> include ssh. This meant that git was able to invoke ssh successfully but the process subsequently failed due to failed host key verification. Perhaps
> with some hacking we may be able to convince ssh to ignore the host key but we'll probably have more problems with keys / secrets etc that aren't
> in the jail.

I think you could arrange to set ‘HOME’ in git-download.scm (in the #~
expression that’s in there), and then populate ~/.ssh/known_hosts with
the relevant OpenSSH host public key (see ‘local-file’ for how to intern
a file into the store.)

If that sounds obscure to you, we can discuss the details here starting
from the patch you have.

> I also tried to get the package source into the jail by building with --with-source. This almost worked but I noticed that the flag seems to apply to the
> package being built but not any of its dependencies - i.e providing it multiple times for dependent packages had no effect. 

Right, currently --with-source only applies to the “tip” (unlike
--with-input, which rewrites the dependency graph recursively).

We could change that or add a different option to do what you want.
Either way it’s mainly a matter of using ‘package-input-rewriting’ and
shouldn’t be hard.

Thoughts?

Thanks,
Ludo’.