-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, Oct 28, 2016 at 04:56:36AM +0000, Manuel Amador (Rudd-O) wrote: > On 10/27/2016 01:13 PM, Marek Marczykowski-Górecki wrote: > > On Thu, Oct 27, 2016 at 11:47:04AM +0000, Manuel Amador (Rudd-O) wrote: > > > It gives me great pleasure to announce the inter-VM Git bridge for Qubes > > > OS, which allows you to git push and git pull from VMs stored in other > > > repos, with no networking involved whatsoever, and observing full > > > compliance with Qubes OS qrexec policy. > > > > > This should usher in a new era of software development that allows > > > people to segregate their secure Git repos from insecure build VMs and > > > other engineering constructs I can't even think of (after doing > > > low-level socket programming for a week, which has left my brain utterly > > > fried). > > > > Hmm, have you seen this? > > https://www.qubes-os.org/doc/development-workflow/#git-connection-between-vms > > > > I had. That inspired me to package up the solution in a nice-to-use and > easy-to-install way, that is more general and is not limited to Qubes OS > development. As you know, instructions are cool, but ready-to-go > software is cooler. I quite like that my solution actually has a > distinct protocol qubes:/// too.
I think it should be possible without manually copying the data back and forth, too. In other words: connect git directly to stdin/out and wait it for finish, then handle next command (if any). The amount of code scares me - over 10x more over something that works just fine... One possible problem is that it gives access to all the repositories (there is an info about that in doc). It may not always be desired effect. The instruction above have a place to limit the access, I see two easy ways how to do it in your solution: 1. Add some configuration in target VM - like .config/qubes-git/allow-from-MY_SOURCE_VM_NAME and put allowed paths there. 2. Use qrexec service argument[1]. This way it can be specified in policy (and single "yes" on ask would allow only specific repository access). Using the same way you could also add access level: pull/push only. The second one is surely more flexible and more user friendly (no new config, the same confirmation, etc). But probably require few more changes. Also note that service argument cannot contain "/", so you'll need to encode the path somehow. And also service name + argument is limited to 64 characters, but this shouldn't be a big problem in practice. [1] https://www.qubes-os.org/doc/qrexec3/#service-argument-in-policy - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJYExeqAAoJENuP0xzK19csehYH/jXDRQSxGw785j2JuahUrvoS hMcmderGo3yQ8f9iA9V9H0w67bdBLq6UO00xjxBxBr/varI2j9+PWRmeYQVWvqFa ZhDh1LubxLjvMKqzb4AyHTZhcEXJEXUnYZBG6uBtHyu4w5F5UZMGIJZjigxWklEL cDl0NsMlZeKBDbrDoZOUR6pagpoFdqvwQkZuJ6GGL5/LA+1qV7zgVwuwfudUE5tm +fISEU9XsO5GcKrGLo5Pq2GuCb5r5bsptwYz6m6xPrybVpLA5YUXBtzhOH5ppW9a efULp8Ip7mTVkvuamWVB061rwkK8BM1qENQkCYvyqmq4p2xoNomuZjn6H/dmy54= =JfJ6 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20161028091731.GF7073%40mail-itl. For more options, visit https://groups.google.com/d/optout.
