Hi, This mail to share my thoughts about the replication of the git repositories especially on Github. We recommend inside the SF documentation to use the deploy key feature of Github and due to the wait Github behaves we ask to the user:
* to create an unique key pair for each repository to replicate * to push the private key on SF * modify the .ssh/config of the Gerrit user * use an alias in the replication.config file * to restart Gerrit It is really cumbersome. We tried to mitigate the overhead via the REST API of managesf but as you know it does not work so well and thus I'm removing that API endpoint atm. Playing yesterday with Github I've figured out we should not recommend the usage of the deploy key feature of Github (because to complex to handle SF side) but instead ask the user: * to register the Gerrit's public key inside the owner' keys list or inside one of collaborator's keys list here https://github.com/settings/keys. In other term someone (a Github user) should authorize SF to push on his behalf and SF will inherits of the write rights of this user. But there is drawbacks as SF will be able to act on other repoq owned by the Github user ... * or other suggestion is to recommend the creation of a specific Github user with the Gerrit public key registered. This specific user should be configured as collaborator or owner of the repositories SF will replicate. But the issue here is how to register that specific user: SF need its own mail recipient ... I think the second solution is the best one in term of usability and security and it is not so complicated to ask for a mail account. Furthermore this mail account should be the one we use to receive SF notifications (admin_mail_forward in sfconfig). And finally even if we not recommend it in the SF documentation the usage of the deploy key feature of Github should be mentioned and explained. The overall goal is to minimize the tasks to perform for users and/or SF admins to setup the replication. The on going replication refactoring and the recommendation of second Github proposal should help a lot with that by only the merge of a review inside the config repo to gerrit/replication.config will be needed to setup the replication. Let me know what do you think about that. Cheers, Fabien Gerrit user _______________________________________________ Softwarefactory-dev mailing list [email protected] https://www.redhat.com/mailman/listinfo/softwarefactory-dev
