Re: [Python-Dev] Admin access using svn+ssh
Barry Warsaw wrote: Not sure what the right place would be: [EMAIL PROTECTED] I think the email could look any way we want it to look. I think it should be username@python.org where username is the firstname.lastname (with some exceptions) scheme that we've agreed on. I actually /don't/ want all commits to look like they're coming from [EMAIL PROTECTED] Ok, I have now changed all user names for the python repository to firstname.lastname. That should allow to use them in From: fields of commit email. Regards, Martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
On 8/22/05, Martin v. Löwis [EMAIL PROTECTED] wrote: James Y Knight wrote: It seems a waste to use SVN's webdav support just for anon access. The svnserve method works well for anon access. The only reason to use svn webdav IMO is if you want to use that for authenticated access. But since you're talking about using svn+ssh for that.. It has the advantage that we can easily point people to files with a web browser; they don't need an svn client. It also allows anonymous svn checkouts for people behind firewalls that only allow HTTP through. Paul. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
Barry Warsaw wrote: I may be totally misunderstanding, but to get shell access wouldn't I avoid using the pythondev account and just use my own account? You could do that (or use the root account); I can't: I don't have a ssh account on dinsdale. An even if I had, I couldn't write to pythondev's authorized_keys2. I'm also a little confused about the pep. What does admin access to the pythondev account mean? Do you mean the people who are going to be managing users that can access svn? Correct. In that case, I think the system admins (i.e. those who already have shell access to dinsdale) would be the people managing user access to svn. Ok: to whom should I forward the ssh keys then which I'm currently collecting? Host pythondev Hostname dinsdale.python.org User pythondev IdentityFile ~/.ssh/pythondev So when I do ssh pythondev, I get the shell account; when I do svn co svn+ssh://[EMAIL PROTECTED]/python/trunk/Modules, I use my default identity, which gets tunneled as Martin v. Loewis. I'm confused again; are you saying that we should have a host named pythondev.python.org? I'm not sure that's necessary. Not at all. This is rather an OpenSSH convenience mechanism to avoid typing hostname and user name all the time. I introduce a local alias pythondev, which means I want to access [EMAIL PROTECTED], using the key pythondev.pub. Regards, Martin ___ Python-Dev mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
Aahz wrote: Host pythondev Hostname dinsdale.python.org User pythondev IdentityFile ~/.ssh/pythondev I'm confused again; are you saying that we should have a host named pythondev.python.org? I'm not sure that's necessary. No, pythondev is simply an SSH alias for dinsdale -- the server knows nothing about it. I don't quite understand the User pythondev line, though -- I think that's a mistake. That's intentional. ssh pythondev now becomes equivalent to ssh -l pythondev -i ~/.ssh/pythondev dinsdale.python.org IOW, the User option is equivalent to specifying the -l option. Regards, Martin ___ Python-Dev mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
Barry Warsaw wrote: You could do that (or use the root account); I can't: I don't have a ssh account on dinsdale. An even if I had, I couldn't write to pythondev's authorized_keys2. That's easily rectified! :) We should give you an account and sudo access. Should I just use your keys from creosote? Please do! Ok: to whom should I forward the ssh keys then which I'm currently collecting? Probably here, unless once you have the above, you still want to do it yourself. I would be worried that you are a single point of failure here: for sf.net/projects/python, multiple people can add new users, and I think we should continue that tradition. I would be happy with *different* people being able to manage that, but the group should be larger than two, IMO. Regards, Martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
Martin, I'm completely confused about what, if anything, I need to send to you. I can already access the python.org website repository via svn. Will I automatically get access to the new Python source repository or do I need to send you pub key(s)? Are dinsdale.python.org and svn.python.org the same machine with different IP addresses? If they are different machines, why would we want to host svn repositories on multiple machines? Skip ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
On Mon, Aug 22, 2005, Martin v. L?wis wrote: Aahz wrote: Barry: Martin: Host pythondev Hostname dinsdale.python.org User pythondev IdentityFile ~/.ssh/pythondev I'm confused again; are you saying that we should have a host named pythondev.python.org? I'm not sure that's necessary. No, pythondev is simply an SSH alias for dinsdale -- the server knows nothing about it. I don't quite understand the User pythondev line, though -- I think that's a mistake. That's intentional. ssh pythondev now becomes equivalent to ssh -l pythondev -i ~/.ssh/pythondev dinsdale.python.org IOW, the User option is equivalent to specifying the -l option. Yes, I know -- but it looks like a mistake to me. Are you saying that all shell access will be done through a single account? Isn't that a huge security risk? My understanding was that it was SVN access that would be going through a single account, not shell access. -- Aahz ([EMAIL PROTECTED]) * http://www.pythoncraft.com/ The way to build large Python applications is to componentize and loosely-couple the hell out of everything. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
On Mon, 2005-08-22 at 11:18, [EMAIL PROTECTED] wrote: I'm completely confused about what, if anything, I need to send to you. I can already access the python.org website repository via svn. Will I automatically get access to the new Python source repository or do I need to send you pub key(s)? I think technically, the answer to that is yes, you will automatically get access to the source repo. The question I have is whether you /should/ access the source repo that way, or use the shared pythondev account. Two unknowns for me are 1) will there be permission problems that either prevent you from doing this, or once you've committed a change, will screw pythondev-access?; 2) when we finally get email notifications worked in, will it still look like your commit is coming from the right place. I think the answer to #2 is yes, but I'm not sure about #1. Are dinsdale.python.org and svn.python.org the same machine with different IP addresses? If they are different machines, why They are the same machine, with different IP addresses. Anonymous webdav will require two Apache processes, since different user/groups are needed and to support different certs for svn.python.org and (eventually) www.python.org. -Barry signature.asc Description: This is a digitally signed message part ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
Will I automatically get access to the new Python source repository or do I need to send you pub key(s)? Barry I think technically, the answer to that is yes, you will Barry automatically get access to the source repo. Okay... Barry The question I have is whether you /should/ access the source Barry repo that way, or use the shared pythondev account. More confusion here. If I use some sort of shared access how will the system ascribe changes I make to me and not, for example, Martin? I think until this experiment is over and we have really and truly migrated to svn I will simply let other people fuss with things. Skip ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
On Aug 22, 2005, at 11:32 AM, Barry Warsaw wrote: They are the same machine, with different IP addresses. Anonymous webdav will require two Apache processes, since different user/groups are needed and to support different certs for svn.python.org and (eventually) www.python.org. It seems a waste to use SVN's webdav support just for anon access. The svnserve method works well for anon access. The only reason to use svn webdav IMO is if you want to use that for authenticated access. But since you're talking about using svn+ssh for that.. James ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
[EMAIL PROTECTED] wrote: I'm completely confused about what, if anything, I need to send to you. I can already access the python.org website repository via svn. Yes, but you do so using username/password, right? pythondev will be using svn+ssh. Will I automatically get access to the new Python source repository or do I need to send you pub key(s)? You need to send me pubkeys. Actually, I just copied the ones from creosote (see below). You should now be able to checkout svn+ssh://[EMAIL PROTECTED]/python/trunk Are dinsdale.python.org and svn.python.org the same machine with different IP addresses? Correct. If they are different machines, why would we want to host svn repositories on multiple machines? We don't. However, we use different access methods. Actually, we *might* use different access methods. If this turns out to be too confusing to users, we are probably back to username/password. Regards, Martin P.S. The keys I installed are ssh-dss B3NzaC1kc3MAAACBAJAPN3ngdjih7H1wqkmbkaJDpfoW3fRrk9phtuuO+js43qU06BiqInbGZ/zjVZRrM7yzRbo2PGu1+ox8H/vkMlSk6IxmgMtNrrQ9SEoTRo7eyg5ku+JiC44h3RWT2IuiIALB8axHQSBsF6Oe4O9z/lgsLMO08M2l1TzRnjSjyOEZFQDGffqFFm+IoSH6cRfxnY+BiXxZ5QAAAIATuQmlscDd/QNSlk4Oy7ZMUdHplx76zQtyUHXvhRVkIu6QrduhnnCkGIFjSHQsnJOoroF4tVaJYY7oka17Ambd0LiWcSlNK+IHMdbvZ91wbVpeo9x/HBCJtCMxDX8PxG3TADuqiZjeC8nOpCdJ+cK7emQv+G4WIw3gC3IuPRINWIA5+OO9ApbKrcClwHXZ9DqtDJBe2fSox1mnei3VAajbOU/o3+j+G+5iLerOqLTCoOyIs7umvuUulIAXvhDzCzusw3mfBtt3UODQn0L3R47OFHzOiCEbihStxd36lVgCJgRBAW7UKf+2k3BzxJ5DVpp4+AZ7fS4FUVkZ8DYAog/68g== [EMAIL PROTECTED] ssh-rsa B3NzaC1yc2EBIwAAAIEAq83rRGWRR4SdvvBUMJ/gDmMG7U7LdiC50kqUTbw+Kogum5JT7kexi1XYKgyKJ8FbRwMx1Xj9zjQERgDhYtFCJg72kSkD2muN3DkyU7vIoZQM/aNpspPNNDWRqj8pzHPzhWDUfL+tjZl78JD51mTOlGHaZUGdKnPeUOQF2XTadis= [EMAIL PROTECTED] ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
Aahz wrote: Yes, I know -- but it looks like a mistake to me. Are you saying that all shell access will be done through a single account? Isn't that a huge security risk? My understanding was that it was SVN access that would be going through a single account, not shell access. Only few selected people would have shell access; I don't see that as a huge risk. Anyway, Barry didn't like it either, so we removed shell access to the pythondev account; user keys now need to be added by the pydotorg admins. Regards, Martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
[EMAIL PROTECTED] wrote: More confusion here. If I use some sort of shared access how will the system ascribe changes I make to me and not, for example, Martin? In pythondev's authorized_keys2, we have a line command=/usr/bin/svnserve --root=/data/repos/projects -t --tunnel-user 'Skip Montanaro',no-port-forwarding,no-X11-forwarding, no-agent-forwarding,no-pty ssh-dss your key So the *only* command you are allowed to invoke is svnserve (actually, sshd will invoke that no matter what the ssh client requests). This will tell subversion that changes should be logges as 'Skip Montanaro'. I think until this experiment is over and we have really and truly migrated to svn I will simply let other people fuss with things. Well, you are not required to understand it, but you should try to use it. Just check out svn+ssh://[EMAIL PROTECTED]/python/trunk/Misc, and see whether this works. Regards, Martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
James Y Knight wrote: It seems a waste to use SVN's webdav support just for anon access. The svnserve method works well for anon access. The only reason to use svn webdav IMO is if you want to use that for authenticated access. But since you're talking about using svn+ssh for that.. It has the advantage that we can easily point people to files with a web browser; they don't need an svn client. Regards, Martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
On Mon, 2005-08-22 at 12:16, Martin v. Löwis wrote: Barry Warsaw wrote: I think technically, the answer to that is yes, you will automatically get access to the source repo. At the moment, the answer actually is no. For the projects repository, there is no group write permission - you must be pythondev in order to write. Good! I think that's a feature. :) I have a vague discomfort with allowing both types of access. I.e. I'd rather all source committers use the same mechanism. 2) when we finally get email notifications worked in, will it still look like your commit is coming from the right place. Not sure what the right place would be: [EMAIL PROTECTED] I think the email could look any way we want it to look. I think it should be username@python.org where username is the firstname.lastname (with some exceptions) scheme that we've agreed on. I actually /don't/ want all commits to look like they're coming from [EMAIL PROTECTED] and to support different certs for svn.python.org and (eventually) www.python.org. Ah. I think anonymous read access should be on port 80. Maybe we want to put websvn (or whatever it's called these days) on port 80 of svn.python.org? -Barry signature.asc Description: This is a digitally signed message part ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
Phillip J. Eby wrote: You can do that with viewcvs, too. Viewcvs can also create tarballs for easy downloading, and has a lot of browsing and viewing options that the SVN webdav mode doesn't. True. I had some issues with viewcvs, though: you cannot provide access control easily, as you cannot force it to slash-separated mode; it also couldn't fetch the history across renames. These may have been fixed meanwhile, of course. Regards, Martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
Martin v. Löwis [EMAIL PROTECTED] writes: [EMAIL PROTECTED] wrote: It worked. I made a trivial change to Misc/NEWS and checked it in. I then ran svn blame NEWS to see what it showed. This took approximately forever. Can I assume this is one thing svn is always going to be pretty slow at? Yes. Somebody commented that this is quadratic in svn with the number of revisions, whereas it is linear in CVS. Please try it on some other file; Misc/NEWS is probably the worst case in the Python repository. I don't know whether there is any better way; we should perhaps ask on the svn users list. One improvement, if you're looking for a fairly recent change is to bound the blame command with a revision range (I find a date up to HEAD as easiest). You'll miss annotations on lines which were last touched prior to the selected range, but it can definitely speed things up. On a file like News, even if you're generous (say take the last year) it would probably be noticeably faster than letting svn go back to revision 1. -- David ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
On Sun, 2005-08-21 at 09:12, Martin v. Löwis wrote: It turns out that svn+ssh with a single account has limitations: you can only set the tunnel user when you are using a restricted key. In PEP 347, the plan is that the current SF project admins get shell access to the pythondev account, which just has been created. To resolve this, project admins need two different SSH keys: one for accessing the shell, and one for regular commit activities. I may be totally misunderstanding, but to get shell access wouldn't I avoid using the pythondev account and just use my own account? I'd only need the pythondev account to access the svn repository, right? (And actually, it might be possible to set up group permissions and membership so that I could access the repo with either). The number of people who need shell access should be pretty small. I'm also a little confused about the pep. What does admin access to the pythondev account mean? Do you mean the people who are going to be managing users that can access svn? In that case, I think the system admins (i.e. those who already have shell access to dinsdale) would be the people managing user access to svn. I would suggest that the default key is used for regular commits, and a separate key is created for shell access. I described this a bit in the PEP, essentially, in .ssh/config, I have Host pythondev Hostname dinsdale.python.org User pythondev IdentityFile ~/.ssh/pythondev So when I do ssh pythondev, I get the shell account; when I do svn co svn+ssh://[EMAIL PROTECTED]/python/trunk/Modules, I use my default identity, which gets tunneled as Martin v. Loewis. I'm confused again; are you saying that we should have a host named pythondev.python.org? I'm not sure that's necessary. -Barry signature.asc Description: This is a digitally signed message part ___ Python-Dev mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Admin access using svn+ssh
On Sun, Aug 21, 2005, Barry Warsaw wrote: On Sun, 2005-08-21 at 09:12, Martin v. L?wis wrote: I would suggest that the default key is used for regular commits, and a separate key is created for shell access. I described this a bit in the PEP, essentially, in .ssh/config, I have Host pythondev Hostname dinsdale.python.org User pythondev IdentityFile ~/.ssh/pythondev So when I do ssh pythondev, I get the shell account; when I do svn co svn+ssh://[EMAIL PROTECTED]/python/trunk/Modules, I use my default identity, which gets tunneled as Martin v. Loewis. I'm confused again; are you saying that we should have a host named pythondev.python.org? I'm not sure that's necessary. No, pythondev is simply an SSH alias for dinsdale -- the server knows nothing about it. I don't quite understand the User pythondev line, though -- I think that's a mistake. -- Aahz ([EMAIL PROTECTED]) * http://www.pythoncraft.com/ The way to build large Python applications is to componentize and loosely-couple the hell out of everything. ___ Python-Dev mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com