Package: git-debpush
Version: 13.16
git's insteadOf config option can defeat git-debpush's availability
check from #1111319. In multiple different ways!
1.
Job 1364 failed due to an inaccessible repository. We think the
accessibility check was defated by this:
Colin Watson writes ("Re: tag2upload 1364, pytest-aiohttp"):
> [url "git+ssh://[email protected]/"]
> insteadof = salsa:
>
> And for this repository:
>
> [remote "origin"]
> url = salsa:python-team/packages/pytest-aiohttp
> fetch = +refs/heads/*:refs/remotes/origin/*
>
> (This is my usual habit: it normally results in less typing.)
The user has used the insteadOf feature to create what is effectively
a local alias "salsa". This seems a reasonable configuration to me.
2.
This is sort of the opposite problem to that seen here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111319#44
In that bug, the user is redirecting all queries to salsa from https
to git.
Contrary to Sean's opinion, I think this is also a reasononable
configuration. One reason to do this rather than pushInsteadOf is
that it switches authentication for read-only accesses from the X.509
TLS cabal, to ssh.
3.
Another way things might go wrong is if the user has some kind of
proxy arrangements. For example, chiark-utils's git-cache-proxy:
https://www.chiark.greenend.org.uk/ucgi/~ian/git?p=chiark-utils.git;a=blob;f=scripts/git-cache-proxy;h=13b13e7c501a7a75aa8b7859856f7f37adad449f;hb=HEAD
In principle a user might have all three of these!
I think git-debpush needs to:
* Resolve insteadOf configuration manually to discover the actual URL
that is going to be used. *Each* url found this way should be
checked against the Debian-specific salsa git@ pattern.
IOW if *any* of the resolution steps result in [email protected]
or equivalent, we should do the (Debian-specific) salsa
accessibility check.
Open questions: (i) should this involve pushInsteadOf or insteadOf
or both? (ii) is there a way to implement this by calling git,
other than by reimplementing git's algorithm?
* If this results in a match giving an salsa https:// URL,
git-debpush should make the actual availability check without
honouring *any* insteadOf, so that it makes an actual https
request. One easy way to do that would be to use curl rather than
git. (That's what I'm doing for the new retry logic in t2usm.)
Ian.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
