external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
aurweb/doc/git-interface.txt
Lukas Fleischer ff36b23153 Fix instructions for omitting "have" lines 
In 002d348 (Describe how to omit "have" lines, 2015-11-14), we added
instructions on how to omit "have" lines originating from other package
repositories. Fix those instructions such that the HEAD ref of the
repository is transferred properly.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2016-03-15 17:58:45 +01:00

95 lines
4.4 KiB
Text
Raw Blame History

The aurweb Git and SSH interface
================================
Git storage
-----------
Since release 4.0.0, aurweb uses Git repositories to store packages. Git
namespaces (see gitnamespaces(7)) are used to share the object database, such
that delta compression can be applied across package base boundaries.
Internally, all packages are stored in a single Git repository. Special refs,
so-called namespaced branches, are used to refer to the commits corresponding
to the actual package bases. For convenience, we also create a branch for each
package repository that carries the name of the corresponding package base,
such that one can easily access the history of a given package base by running
`git log <pkgbase>`. To the end-user, the individual namespaced branches are
presented as separate Git repositories.
Authentication: git-auth
------------------------
Pushing to package repositories is possible via SSH. In order to access the SSH
interface, users first need to add an SSH public key to their account using the
web interface. Authentication is performed by the git-auth
AuthorizedKeysCommand script (see sshd_config(5) for details) that looks up the
public key in the AUR user table. Using this concept of "virtual users", there
is no need to create separate UNIX accounts for each registered AUR user.
If the public key is found, the corresponding authorized_keys line is printed
to stdout. If the public key does not exist, the login is denied. The
authorized_keys line also contains a forced command such that authenticated
users cannot access anything on the server except for the aurweb SSH interface.
The forced command can be configured in the aurweb configuration file and
usually points to the git-serve program.
The INSTALL file in the top-level directory contains detailed instructions on
how to configure sshd(8) to use git-auth for authentication.
The Shell: git-serve
--------------------
The git-serve command, the "aurweb shell", provides different subcommands:
* The help command shows a list of available commands.
* The list-repos command lists all repositories of the authenticated user.
* The setup-repo command can be used to create a new repository.
* The restore command can be used to restore a deleted package base.
* The git-{receive,upload}-pack commands are redirected to git-shell(1).
The requested command is extracted from the SSH_ORIGINAL_COMMAND environment
variable which is usually set by the SSH daemon. If no command is specified,
git-serve displays a message that aurweb does not provide an interactive shell.
When invoking git-shell(1), the git-serve command also redirects all paths to
the shared Git repository and sets up the GIT_NAMESPACE environment variable
such that Git updates the right namespaced branch.
The Update Hook: git-update
---------------------------
The Git update hook, called git-update, performs several subtasks:
* Prevent from creating branches or tags other than master.
* Deny non-fast-forwards, except for Trusted Users and Developers.
* Check each new commit (validate meta data, impose file size limits, ...)
* Update package base information and package information in the database.
* Update the named branch and the namespaced HEAD ref of the package.
It needs to be added to the shared Git repository, see INSTALL in the top-level
directory for further information.
Accessing Git repositories via HTTP
-----------------------------------
Git repositories can also be accessed via HTTP by configuring the web server to
forward specific requests to git-http-backend(1). Note that, since Git
namespaces are used internally, the web server also needs to rewrite URIs and
setup the GIT_NAMESPACE environment variable accordingly before forwarding a
request.
An example configuration for nginx and fcgiwrap can be found in the INSTALL
instructions in the top-level directory.
Further Configuration
---------------------
When using Git namespaces, Git advertises refs outside the current namespace as
so-called "have" lines. This is normally used to reduce traffic but it has the
opposite effect in the case of aurweb: Many essentially useless lines are
transferred to the Git client during `git push` operations.
In order to omit these advertisements, add the strings "^refs/", "!refs/" and
"!HEAD" to the transfer.hideRefs configuration setting. Note that the order of
these patterns is important ("^refs/" must come first) and that Git 2.7 or
newer is required for them to work.
Reference in a new issue View git blame Copy permalink