Problems with a gitosis port

[Andrew Bennetts]

Adam Olsen wrote:
[...]
> I see that the guy that wrote bzr_access was kind of trying to do the
> same thing - the script references SSH_ORIGINAL_COMMAND, but it never
> actually uses it.

Right.  The problem of course is that the client always sends the same
command, with the same “--directory=/”.  The reason for this is that client
cannot know in advance what paths it will need to access on the server.

E.g. consider a user running “bzr branch bzr+ssh://host/foo/bar/baz”.  The
client cannot use “--directory=/foo/bar/baz”, because “baz” might be a
branch in a shared repository, and that shared repository could be in any of
the parent directories.  The client can't know what directories it needs
until it connects, but it can't connect without asking for a directory.  So
the only option is to ask for /.

Well, the other option would be to reconnect, but establishing new SSH
connections are quite slow (5s is not uncommon over international links),
and, depending on the URL and the layout on the remote side, multiple
reconnections might be required.

Branch references have a similar issue.  And some commands like “bzr log”
can take URLs referring to files in a branch (e.g. bzr log
bzr+ssh://host/foo/bar/baz/README), but again there's no way to tell which
part of the URL is the branch, which is the file in the branch without
connecting and taking a look.

So enforcing the restrictions at connection time is too soon.  Michael's
suggestion to do it inside bzr with a plugin delays worrying about the
restrictions until the client actually tries to access files.  You can use
the same SSH configuration that you use to start gitosis or bzr_access to
run your plugin, say “bzr restricted-serve ...”, which implements a custom
bzrlib transport with your policies.  This can work quite well I think, but
is probably more complicated than how gitosis works.

-Andrew.