I'm getting the impression that a bundle package, then committing those packaged gems to the repo and deploying is the way to go. Will heroku by default look in the vendor/cache directory first before installing gems remotely?
On Aug 12, 7:14 am, Matthew Todd <matthew.t...@gmail.com> wrote: > On Aug 12, 2010, at 3:34 AM, Bradley wrote: > > >> Right, so I added in: > > >> Host heroku.com > >> ForwardAgent yes > > >> to my Tomcat user's ~/.ssh/config. This is the user that checks out > >> from Github then pushes to heroku. I still get the same error, > >> Permission denied (publickey). > > Hi, Brad -- > > I've just done an experiment here, pushing to Heroku (with and without > ForwardAgent turned on) a small Rack app having a Gemfile specifying a > dependency on a privately-accessible-over-ssh git repository. > > It didn't work. I see the same error you do. > > As I Google, I'm suspecting this is because of the way Heroku's ssh > authorized_keys file is configured. It turns out there's a setting called > "no-agent-forwarding" that keeps turning up in [people's][1] [examples][2] > for how to configure git access over ssh. (See [sshd(8)][3] for more.) > > Heroku guys, would any of you be able to confirm that these > "no-agent-forwarding" clauses are present in (the equivalent of) the > ~/.ssh/authorized_keys file for g...@heroku.com? Do I understand correctly > that removing them would enable Brad's use case here? > > On Aug 12, 2010, at 3:39 AM, David Balatero wrote: > > > If Bundler is running on Heroku, the Heroku UNIX user account needs to have > > its public key in your Github repo as an authorized key. > > > Each Heroku machine will have a different SSH key generated, and you > > non-deterministically deploy to <some> machine in the Heroku cloud each > > time you deploy. > > > Even if you had a consistent SSH key, it would be insecure for you to add > > that key to your public repo, as anyone else deploying to the same machine > > as you would be able to download your code repo. > > Hi, David -- > > Yes, exactly -- this multiple-host inconsistency / insecurity is what I > suspect we'd be able to overcome with ssh's agent forwarding. It would > transitively allow (bundler running on) Heroku to connect to Brad's private > repository using his local ssh keys. > > All the best, -- Matthew > > [1]:http://stackoverflow.com/questions/3224340/git-push-returns-fatal-pro... > [2]:http://eagain.net/blog/2007/03/22/howto-host-git.html > [3]:http://www.manpagez.com/man/8/sshd/ Oy, that's an ugly page! -- You received this message because you are subscribed to the Google Groups "Heroku" group. To post to this group, send email to her...@googlegroups.com. To unsubscribe from this group, send email to heroku+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/heroku?hl=en.