From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id WLyxILZXFGP3BQEAbAwnHQ (envelope-from ) for ; Sun, 04 Sep 2022 09:45:58 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id IGrcILZXFGM7XQAA9RJhRA (envelope-from ) for ; Sun, 04 Sep 2022 09:45:58 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0777B38B98 for ; Sun, 4 Sep 2022 09:45:57 +0200 (CEST) Received: from localhost ([::1]:40152 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oUkKK-0003Lo-SH for larch@yhetil.org; Sun, 04 Sep 2022 03:45:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59202) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oUk22-0000PS-MG for bug-guix@gnu.org; Sun, 04 Sep 2022 03:27:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:54674) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oUk21-00035A-Ry for bug-guix@gnu.org; Sun, 04 Sep 2022 03:27:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oUk21-0001ob-Ki for bug-guix@gnu.org; Sun, 04 Sep 2022 03:27:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#25957: gitolite broken: created repositories keep references to /usr/bin for hooks Resent-From: Efraim Flashner Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 04 Sep 2022 07:27:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 25957 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: "Thompson, David" Cc: 25957@debbugs.gnu.org, zimoun Received: via spool by 25957-submit@debbugs.gnu.org id=B25957.16622763786922 (code B ref 25957); Sun, 04 Sep 2022 07:27:01 +0000 Received: (at 25957) by debbugs.gnu.org; 4 Sep 2022 07:26:18 +0000 Received: from localhost ([127.0.0.1]:43373 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oUk1J-0001nZ-Ig for submit@debbugs.gnu.org; Sun, 04 Sep 2022 03:26:18 -0400 Received: from mail-wm1-f41.google.com ([209.85.128.41]:41957) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oUk1I-0001nM-0P for 25957@debbugs.gnu.org; Sun, 04 Sep 2022 03:26:16 -0400 Received: by mail-wm1-f41.google.com with SMTP id az24-20020a05600c601800b003a842e4983cso4066904wmb.0 for <25957@debbugs.gnu.org>; Sun, 04 Sep 2022 00:26:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender:from:to :cc:subject:date; bh=NcKcp9oy4CiKREX7qxBAeU7RYZPiY+I1iHNyEtllPbo=; b=ZFkRFP1ZEq2MdpctLLtflIsLCxxLx0GMy50C24UdtwOPqMkYZ8JLf7zK7igIEi3GmK OasMQrw/ezx3ojSODshrZ6YrIAnghy0fNMmE06CS+FkARaO2aOjrTfUxXtTXCl2rn68O WENRyibD6G8800Ny99yWMtdmF504ZyITnOWNV2HI45ouz5CQaA5bcBTTppQcZ5Iz0uXf gcLBJPU09nmU9tSLdInKV9ADM0CSVdug9bqWenna4EHFFmTtJF8Wo7ciU7OpleLjbGak 51r50FUk0FuTckEGI322BykNX27THyx5u8BdnZnd1gNvshbS5Evm/mq4U7tWelfu13kO xXgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender :x-gm-message-state:from:to:cc:subject:date; bh=NcKcp9oy4CiKREX7qxBAeU7RYZPiY+I1iHNyEtllPbo=; b=tcT+RgE53xyKcJUuVXP4ZQKFSH+egDfr84/IpjcLGvmDDmmpZlEgy8HAxLKQevznq7 hGIJZQarvHUOL/E48jVFBPqV8mmFV6UrGWtTTCHL8JsbHMMPo0B2v5PYXJLmeFevXk0I euMfuHMIWNnp7m50GCQUChNVKYhBCOkBlbFT0xCpZ6nuZ8A0K57GDBvAg6ufqmrSy1+L zPNLTCmUdJoF+HP4DDGqNUuPTVw3mvH90qq5aPuAe9bsq5qjwgEBc15eRzqmpsRDfn36 Kxzh+hRXeziqDIqvx6ioMzkO42SCJYBwisqYLUFXnuj7DQmc+15Y36Fpp0mH5FkLzR3Y uqbw== X-Gm-Message-State: ACgBeo2lS/YDwWUQQ9JRQbPgr1N5DNhSwUbZz5VNJQRCKxLcaOkwOd7d muKmU1Eza8dYmRFkvRMLmR0= X-Google-Smtp-Source: AA6agR6o0nTKb2j24UTUL0DeLwURy2NvCWZR13qzSMF+mToY/wFd/7pC+FX+T8sM/Qm9l0lFFSUzWQ== X-Received: by 2002:a05:600c:512a:b0:3a8:42e4:dfe7 with SMTP id o42-20020a05600c512a00b003a842e4dfe7mr7755073wms.193.1662276370010; Sun, 04 Sep 2022 00:26:10 -0700 (PDT) Received: from localhost ([141.226.13.1]) by smtp.gmail.com with ESMTPSA id p4-20020a5d48c4000000b00225239d9265sm5395304wrs.74.2022.09.04.00.26.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Sep 2022 00:26:09 -0700 (PDT) Date: Sun, 4 Sep 2022 10:26:05 +0300 From: Efraim Flashner Message-ID: Mail-Followup-To: Efraim Flashner , "Thompson, David" , zimoun , 25957@debbugs.gnu.org References: <6a325301e7cc55ee08652c67e49c3eb8a0802baa.camel@telenet.be> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ZOQ06voTJckLO9TV" Content-Disposition: inline In-Reply-To: X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1662277558; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=NcKcp9oy4CiKREX7qxBAeU7RYZPiY+I1iHNyEtllPbo=; b=Q863bVlnYE1eWoNJlcjev4223+qBMfsh85PBoiTmYG3ymuOQSFbgTvmE2MU7pj0/rS6kFv FqBc+MYiiPLPMUtNo2PKOQKlRhCBfv9PMGeQdZoqndLC1Cs3WgjzRkMSWw4H7eKQ8yBWAe h4Mq/MbG6D7Xct7mUdrsEI/NTgpTKf8s77xdx9OoA1jZRz42Xr+6msmp2Y8+4OLTEcLDvL +zT47YGk0ib4BMPa8RL9YSn9hgxzvoDAZpZZ0q9S0yFobzNb3pnUSUXD9kqnZEovTfZOzi Kaw7DU/zcDneCG7kSPNasjFyHfAp+ML9D6wbcs/f64rJ3knp+gjp9su8IBHRBw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1662277558; a=rsa-sha256; cv=none; b=WjDzl7UBcHaZsiV3LoMdT7iKXHOS8kJcbPvWOZTzpm4XLlgDTTf1AUOXxaHE06Xxnz+yqG WQYuTgu5PJeuRdbW7WH1P5e1fZ6dftJTxvsGcgmoOcRv+5izQUeLvjIUhsAVUgj8uAT/nW 74DoI4i5eJySWOkPlaM6afHEYxnMznjm1LacUyOLxPfH8PJ+ogEwseqzvhcWkoBJozU3rj 1ztcH5EmUUi2mdX6AfgijBliEOeHdVJjxq7OumvC3jWcHPhQocB2K/UgmIhhyhohQ18smc yQQaNgAC8Kgtdj+SSfevlorkdmztQ8uVuJXT7yJWLrHE0oKk0k9sD5cT9lSnFA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=ZFkRFP1Z; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -1.18 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=ZFkRFP1Z; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 0777B38B98 X-Spam-Score: -1.18 X-Migadu-Scanner: scn0.migadu.com X-TUID: VEigGsJN4Mvj --ZOQ06voTJckLO9TV Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 02, 2022 at 03:58:09PM -0400, Thompson, David wrote: > On Fri, Sep 2, 2022 at 8:50 AM Thompson, David = wrote: > > > > On Fri, Sep 2, 2022 at 8:44 AM Efraim Flashner = wrote: > > > > > > On Fri, Sep 02, 2022 at 07:11:54AM -0400, Thompson, David wrote: > > > > On Fri, Sep 2, 2022 at 3:00 AM Efraim Flashner wrote: > > > > > > > > > > I took a look at the gitolite service finally and I hadn't realiz= ed > > > > > there wasn't a running daemon to containerize. I assumed we could= do > > > > > something like: > > > > > > > > > > (start $~(make-forkexec-constructor/container > > > > > (list ...) > > > > > #:environment-variables > > > > > '("PATH=3D...") > > > > > #:mappings ...)) > > > > > > > > > > Given that's not the case then I'd need to look at gitolite itsel= f to > > > > > see how it calls the other binaries it expects to be available, a= nd if > > > > > wrapping it would be enough or if we would need to just propagate= the > > > > > other packages for functionality. > > > > > > > > Gitolite simply expects tools like git to be on $PATH. It's a pret= ty > > > > naive system, there's nothing like a configure script that is > > > > determining the absolute file name of these tools and substituting > > > > those names into the built files. > > > > > > > > The executable is already wrapped so that coreutils, findutils, and > > > > git are on $PATH, but notably not openssh: > > > > > > > > (add-after 'install 'wrap-scripts > > > > (lambda* (#:key inputs outputs #:allow-other-ke= ys) > > > > (let ((out (assoc-ref outputs "out")) > > > > (coreutils (assoc-ref inputs "coreutils= ")) > > > > (findutils (assoc-ref inputs "findutils= ")) > > > > (git (assoc-ref inputs "git"))) > > > > (wrap-program (string-append out "/bin/gito= lite") > > > > `("PATH" ":" prefix > > > > ,(map (lambda (dir) > > > > (string-append dir "/bin")) > > > > (list out coreutils findutils git= ))))))) > > > > > > > > However, git and openssh are still propagated inputs. I'm going to > > > > move the propagated inputs to regular inputs, potentially add opens= sh > > > > to the wrapper once I remind myself what gitolite does with those > > > > tools, and test it all out on my server using the gitolite service. > > > > If that all works, we have a good starting point for adding extensi= on > > > > support in the service. > > > > > > I like it. Let us know how it goes. > > > > The problem is that gitolite generates git hooks for the repositories > > that it manages, and those hooks invoke git, so the only way those > > scripts will be able to work (without input propagation) is to find a > > way to inject the proper PATH or find a way to replace references to > > things like 'git diff' with '/gnu/store/.../git diff'. I'm going to > > keep exploring and report back when I have something to show. >=20 > After several rounds of experimentation and breaking my git server a > few times, here's what I've found: >=20 > * Changing git and openssh to be regular inputs and wrapping both > gitolite and gitolite-shell with a $PATH that contains git works and > it's very little extra code. >=20 > * Trying to replace every invocation of a git command took a lot of > grepping and crafting of regexps to use for substitute* and I never > got to a point where the result wasn't buggy. In particular, > gitolite-shell never worked properly so I couldn't push to my repos. >=20 > So, I think the simple wrapper approach is the way to go. Patch > attached. I tested on my git server by making changes to my gitolite > configuration and pushing those changes to the special gitolite-admin > repo. This causes gitolite to refresh internal configuration using a > git hook, so I know that hooks can find the executables they need. > That plus the 'gitolite setup' invocation made by the service > activation script covers a fair amount of surface area, so I feel > comfortable committing it. What do you think? >=20 > Once this part is done, I'll turn my attention to the optional extensions. Overall it looks good to me. I was going to ask about inetutils and openssh since they're not wrapping the binaries but I see their paths are substituted in the 'patch-source phase. LGTM! > From 413f2d28aa8bea2274b74c2b574fb9f8bf9c16ba Mon Sep 17 00:00:00 2001 > From: David Thompson > Date: Fri, 2 Sep 2022 14:33:01 -0400 > Subject: [PATCH] gnu: gitolite: Wrap programs instead of using propagated > inputs. >=20 > * gnu/packages/version-control.scm (gitolite)[arguments]: Add git to wrap= ped > $PATH and additionally wrap gitolite-shell. > [inputs]: Add git and openssh. > [propagated-inputs]: Remove it. > --- > gnu/packages/version-control.scm | 18 ++++++++---------- > 1 file changed, 8 insertions(+), 10 deletions(-) >=20 > diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-cont= rol.scm > index 15a9278fe8..1c775932c0 100644 > --- a/gnu/packages/version-control.scm > +++ b/gnu/packages/version-control.scm > @@ -1573,17 +1573,15 @@ (define-public gitolite > (coreutils (assoc-ref inputs "coreutils")) > (findutils (assoc-ref inputs "findutils")) > (git (assoc-ref inputs "git"))) > - (wrap-program (string-append out "/bin/gitolite") > - `("PATH" ":" prefix > - ,(map (lambda (dir) > - (string-append dir "/bin")) > - (list out coreutils findutils git)))))= ))))) > + (for-each (lambda (file-name) > + (wrap-program (string-append out fil= e-name) > + `("PATH" ":" prefix > + ,(map (lambda (dir) > + (string-append dir "/bin= ")) > + (list out coreutils findut= ils git))))) > + '("/bin/gitolite" "/bin/gitolite-shell= ")))))))) > (inputs > - (list bash-minimal perl coreutils findutils inetutils)) > - ;; git and openssh are propagated because trying to patch the source= via > - ;; regexp matching is too brittle and prone to false positives. > - (propagated-inputs > - (list git openssh)) > + (list bash-minimal git perl coreutils findutils inetutils openssh)) > (home-page "https://gitolite.com") > (synopsis "Git access control layer") > (description > --=20 > 2.37.2 >=20 --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --ZOQ06voTJckLO9TV Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmMUUwsACgkQQarn3Mo9 g1Ef8RAAuMXGFn56TZp8H76L63LFDVLuQZi/Q9MXuDefXeiENlZZtkM5kSQJjw0f nPepnVBKNWiFyqMMTT+Dq+ag15oCZLebaYysMvUJGnTOraN1bi7vmLpqySuA5OQU Da3EKXuLbFXrOUR8X13H0/R4ZQSPBIqY3NTtmFX5R9f1qGAadbACDibZch4yJ2i6 YafXWw4N2cd/3irSMOwVtkLUO/rH96m/kgpqxay8mPrfS4PvFICCaa+7w4kl23ga pPjp0S+yjb7UUIRyUYaus0Gy/4YgGtzFVLgO7c15YNQk0JxQShdlJjwnHXv0ITGz uK2//1SlvVgwnYSZAZAW8NQ6QzGgRMc2yOOtQn//m9xlYHi4mzZhI7Z9XfGonlbc 8DDXfDzsTdTVQRGtVrgMpdZ4A23iUDYlWnTy36HIgZ0+WEqgVZoO57Bqchfe9qCW a1LPIEKGTkE0FknSU3f2YNjOQAVDieqWXyx4lVGMwNTiBYxZ0eAYyvK9IPfnK7PO UXgaXW2GDzKYBiByUvIITiWF74MX0wvE2Q5Iil3yFjp7VduJYgJxP4VwK6hoBAGm 3UzrWdArDIJG7AUNnH2Zs+zp/lrsKB+4+Pa6sed33oEyg/tF6CMVFkqjtizV561v IxA/DFGijQ0ns41Rp1B2uBy8tmMJOZ6Tf+Y9tPPzr6MkHy4E2xM= =jLTU -----END PGP SIGNATURE----- --ZOQ06voTJckLO9TV--