-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, Feb 17, 2018 at 04:01:06PM +0100, Marek Marczykowski-Górecki wrote: > On Sat, Feb 17, 2018 at 01:44:40AM -0800, Elias Mårtenson wrote: > > Has anyone considered implementing split-git? The idea being that you'd > > have a custom git protocol that forwards requests over qrexec to a git > > repository on a different vm. > > > > The reading I started thinking about it is that I have a vm for Keybase, > > and I'm using the keybase git provider for some private repositories. It > > would be nice to be able to work with those repositories from a vm which > > does not have Keybase installed. > > > > I can also envision other usecases for a split-git implementation. > > > > I have started working on a proof-of-concept but I'm nowhere near anything > > that works yet. That's why I'm asking here if anyone else have worked on > > the same thing, before spending more time on it. > > There are one and a half existing implementations of similar feature: > > 1. Running plain git protocol over qrexec: > https://www.qubes-os.org/doc/development-workflow/#git-connection-between-vms > - there is no validation of the protocol itself, only some policy for > repository access (hardcoded into the script) > > 2. Wojtek tried something similar to your idea - forwarding specific > requests over qrexec (at git object level), with data validation before > passing it to git. AFAIK this is in very early stage and very limited > scope (pushing one signed tag + dependencies?).
This is my take: https://github.com/woju/qubes-app-split-git After first consulting with Marek I was under impression that this may not be that useful, but if you ask, I'm happy to share. It mostly works, but has purposefuly limited functionality. It fetches one tag. The tag has to be signed and the rest of the objects (the commit the tag points to, its tree and recursively any blobs and trees) are verified based on their SHA1. You can't fetch branches nor any other refs, but you can fetch tag and fast-forward an existing branch to it. Any objects are verified in memory before writing them to .git/objects. gpg --no-default-keyring --keyring gittrust.kpx --import < trustedpubkey.asc git remote add origin qrexec://remoteqube/repo.git?keyring=gittrust.kbx # the first time git fetch origin tag v1.0 git checkout -b master v1.0 # after some time git fetch origin tag v1.1 git merge --ff-only v1.1 I'll probably write some README to cover installation. Marek is right that this is very early stage, so bugs are very much expected. - -- pozdrawiam / best regards _.-._ Wojtek Porczyk .-^' '^-. Invisible Things Lab |'-.-^-.-'| | | | | I do not fear computers, | '-.-' | I fear lack of them. '-._ : ,-' -- Isaac Asimov `^-^-_> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJaiwLeAAoJEL9r2TIQOiNR0rIQAJM2AEt5Fp+2f6gWoMDlcKIl +jhxQ/Yky00Y1O4OBL27ZrtfSE3A1Iy5U2bzTrW/gXbWqF31PTo/Jjq6gplL/dLF ir+jX3OhnsQumlNIc3Uqrq8TqNYI8mkezF7MOlwDFExcOKYQJfOJdjZFtNoUbwc5 nHJlB4LZhinCv3fPJ2qBWOz8fHJ+KUtOpqfxSTGG6apz+fdmRmk/r7KC6bQEzsh8 kBtGTDc9JcKI3TFncwc/KYnzUWU3mGe9nGvCwHd+6Xhsk4wmnOL0Q7emmnbt72mw Xa4QNUb0HKwoI0QboXmdQxQ1wlBDZG5B96N24p2v68HyLVsk+O4ZM0HB94aN8njH Ip5oQaHDod2cifCvwYmyBu6qYjEjKY1q3dC3vRQGBKDBmOQ1y8O9bw3aWFP6V4Ne TI5UBuL3+5hdvy7CL5bGmHditvR3LPe8+DxBjSdEklufR6EQOquxgiMlp7DY4tQg v6NeXtJR+hc7xLvhk55DhhkGuFHvkZCfqko0eDe4KQ0nAmK6DKlSv10747BTAdmQ 8kVUQbyJovjy1ejlHwrwgeM8lrjKyDABNsh9d4zHR7Ozz7zRXU1dujYn370k9agR WgUe+4wl3bpMQlhCOPsQvV3CdkG6hQhaC0lJb1jeGd06UCzAe6UCKHEWIBAbkNes I3pqLtjgsqeWmW9RwK8V =Q3LW -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20180219170121.GK1198%40invisiblethingslab.com. For more options, visit https://groups.google.com/d/optout.