summaryrefslogtreecommitdiff
path: root/doc/todo/gitolite_and_gitosis_support.mdwn
blob: 12e26243e4a769fe86337431f30129cfdf0306bf (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
gitosis and gitolite should support git-annex being used to send/receive
files from the repositories they manage. Users with read-only access
could only get files, while users with write access could also put and drop
files.

Doing this right requires modifying both programs, to add [[git-annex-shell]]
to the list of things they can run, and only allow through appropriate
git-annex-shell subcommands to read-only users.

I have posted an RFC for modifying gitolite to the
[gitolite mailing list](http://groups.google.com/group/gitolite?lnk=srg).

> I have not developed a patch yet, but all that git-annex needs is a way
> to ssh to the server and run the git-annex-shell command there.
> git-annex-shell is very similar to git-shell. So, one way to enable
> it is simply to set GL_ADC_PATH to a directory containing git-annex-shell.
> 
> But, that's not optimal, since git-annex-shell will send off receive-pack
> commands to git, which would bypass gitolite's permissions checking.
> Also, it makes sense to limit readonly users to only download, not
> upload/delete files from git-annex. Instead, I suggest adding something
> like this to gitolite's config:
 
	# If set, users with W access can write file contents into the git-annex,
	# and users with R access can read file contents from the git-annex.
	$GL_GIT_ANNEX = 0;

> If this makes sense, I'm sure I can put a patch together for your
> review. It would involve modifying gl-auth-command so it knows how
> to run git-annex-shell, and how to parse out the "verb" from a
> git-annex-shell command line, and modifying R_COMMANDS and W_COMMANDS.

As I don't write python, someone else is needed to work on gitosis.
--[[Joey]] 

## readonly commands

* git-annex-shell configlist $directory
* git-annex-shell inannex $directory [$key ...]
* git-annex-shell sendkey $directory $key

## read-write commands

* git-annex-shell dropkey $directory [$key ...]
* git-annex-shell recvkey $directory $key

## other git-annex-shell parameters

All parameters like --uuid=foo and --force are safe and need to be allowed
through.