Hash: SHA256

On Sat, Feb 17, 2018 at 04:01:06PM +0100, Marek Marczykowski-Górecki wrote:
> On Sat, Feb 17, 2018 at 01:44:40AM -0800, Elias Mårtenson wrote:
> > Has anyone considered implementing split-git? The idea being that you'd 
> > have a custom git protocol that forwards requests over qrexec to a git 
> > repository on a different vm.
> > 
> > The reading I started thinking about it is that I have a vm for Keybase, 
> > and I'm using the keybase git provider for some private repositories. It 
> > would be nice to be able to work with those repositories from a vm which 
> > does not have Keybase installed.
> > 
> > I can also envision other usecases for a split-git implementation.
> > 
> > I have started working on a proof-of-concept but I'm nowhere near anything 
> > that works yet. That's why I'm asking here if anyone else have worked on 
> > the same thing, before spending more time on it.
> There are one and a half existing implementations of similar feature:
> 1. Running plain git protocol over qrexec: 
> https://www.qubes-os.org/doc/development-workflow/#git-connection-between-vms
>    - there is no validation of the protocol itself, only some policy for
>      repository access (hardcoded into the script)
> 2. Wojtek tried something similar to your idea - forwarding specific
> requests over qrexec (at git object level), with data validation before
> passing it to git. AFAIK this is in very early stage and very limited
> scope (pushing one signed tag + dependencies?).

This is my take: https://github.com/woju/qubes-app-split-git
After first consulting with Marek I was under impression that this may not be
that useful, but if you ask, I'm happy to share.

It mostly works, but has purposefuly limited functionality. It fetches one
tag. The tag has to be signed and the rest of the objects (the commit the tag
points to, its tree and recursively any blobs and trees) are verified based on
their SHA1. You can't fetch branches nor any other refs, but you can fetch tag
and fast-forward an existing branch to it. Any objects are verified in memory
before writing them to .git/objects.

    gpg --no-default-keyring --keyring gittrust.kpx --import < trustedpubkey.asc
    git remote add origin qrexec://remoteqube/repo.git?keyring=gittrust.kbx

    # the first time
    git fetch origin tag v1.0
    git checkout -b master v1.0

    # after some time
    git fetch origin tag v1.1
    git merge --ff-only v1.1

I'll probably write some README to cover installation.

Marek is right that this is very early stage, so bugs are very much expected.

- -- 
pozdrawiam / best regards       _.-._
Wojtek Porczyk               .-^'   '^-.
Invisible Things Lab         |'-.-^-.-'|
                             |  |   |  |
 I do not fear computers,    |  '-.-'  |
 I fear lack of them.        '-._ :  ,-'
    -- Isaac Asimov             `^-^-_>
Version: GnuPG v2


You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to