[SSSD]Re: about fedorahosted-to-github mirror
On 12/03/2015 10:00 PM, Jakub Hrozek wrote: 1) fedorahosted.org [+] We don't have to manage the machine, dedicated admins do [-] We'd have to give read ACL to an identity that pushes /all/ fedorahosted.org projects. I'm also for this one. Fedorahosted.org hosts should be better secured than we will ever secure ours. Nick ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD]Re: about fedorahosted-to-github mirror
On Mon, Dec 07, 2015 at 10:36:19AM -0500, Simo Sorce wrote: > On Thu, 2015-12-03 at 21:00 +0100, Jakub Hrozek wrote: > > Hi, > > > > I was looking at options we have for setting up an automated way to > > mirror our fedorahosted.org repo to github.com. Unfortunately, the > > github mirror functionality seems to be discontinued[*], so the next > > best thing to do is to set up a github deploy key: > > https://developer.github.com/guides/managing-deploy-keys/#deploy-keys > > > > The private key would be on the machine we'd mirror from, the public key > > would be uploaded to github. My question is -- do we want to set up the > > push job on fedorahosted.org or one of our machines? > > > > 1) fedorahosted.org > > [+] We don't have to manage the machine, dedicated admins do > > [-] We'd have to give read ACL to an identity that pushes /all/ > > fedorahosted.org projects. > > I do not see why the above is a minus, isn't the repo already readable > by anyone ? The repo is, but not the ssh private key which we would use to authenticate to github. Check out Patrick's response: https://fedorahosted.org/fedora-infrastructure/ticket/5011#comment:7 > > > 2) Our own (CI?) machines > > [+] We manage the machine with the private key. We keep control of the > > key. > > [-] We manage the machine with the private key. We're developers, not > > admins. > > > > I would personally prefer 1) because if the git user on fedorahosted is > > compromised, all bets are off anyway and the concern about a push key to > > our /mirror/ repo would not be the primary one. But at the same time, I > > don't feel comfortable doing the decision without asking the > > list. > > > > So -- is anyone opposed to me asking fedorahosted.org to generate a keypair > > and giving us the public key that I would upload to github? > > Once you have a mirror there have you made any determination about how > to deal with PRs ? More or less as Samba does, notifications to this list. The communication would be unidirectional and we'd ask the contributors to continue discussion here. > I assume you disable the issue tracker ? Of course. > > Simo. > > > Thanks! > > > > > > > > [*] github has gained enough traction already, so they don't care about > > this functionality anymore.. > > They start to become hostile to "competition" I guess... not a good > sign, oh well. > > -- > Simo Sorce * Red Hat, Inc * New York > ___ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD]Re: about fedorahosted-to-github mirror
On Thu, 2015-12-03 at 21:00 +0100, Jakub Hrozek wrote: > Hi, > > I was looking at options we have for setting up an automated way to > mirror our fedorahosted.org repo to github.com. Unfortunately, the > github mirror functionality seems to be discontinued[*], so the next > best thing to do is to set up a github deploy key: > https://developer.github.com/guides/managing-deploy-keys/#deploy-keys > > The private key would be on the machine we'd mirror from, the public key > would be uploaded to github. My question is -- do we want to set up the > push job on fedorahosted.org or one of our machines? > > 1) fedorahosted.org > [+] We don't have to manage the machine, dedicated admins do > [-] We'd have to give read ACL to an identity that pushes /all/ > fedorahosted.org projects. I do not see why the above is a minus, isn't the repo already readable by anyone ? > 2) Our own (CI?) machines > [+] We manage the machine with the private key. We keep control of the > key. > [-] We manage the machine with the private key. We're developers, not > admins. > > I would personally prefer 1) because if the git user on fedorahosted is > compromised, all bets are off anyway and the concern about a push key to > our /mirror/ repo would not be the primary one. But at the same time, I > don't feel comfortable doing the decision without asking the > list. > > So -- is anyone opposed to me asking fedorahosted.org to generate a keypair > and giving us the public key that I would upload to github? Once you have a mirror there have you made any determination about how to deal with PRs ? I assume you disable the issue tracker ? Simo. > Thanks! > > > > [*] github has gained enough traction already, so they don't care about > this functionality anymore.. They start to become hostile to "competition" I guess... not a good sign, oh well. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD]Re: about fedorahosted-to-github mirror
On 12/03/2015 09:00 PM, Jakub Hrozek wrote: Hi, I was looking at options we have for setting up an automated way to mirror our fedorahosted.org repo to github.com. Unfortunately, the github mirror functionality seems to be discontinued[*], so the next best thing to do is to set up a github deploy key: https://developer.github.com/guides/managing-deploy-keys/#deploy-keys The private key would be on the machine we'd mirror from, the public key would be uploaded to github. My question is -- do we want to set up the push job on fedorahosted.org or one of our machines? 1) fedorahosted.org [+] We don't have to manage the machine, dedicated admins do [-] We'd have to give read ACL to an identity that pushes /all/ fedorahosted.org projects. 2) Our own (CI?) machines [+] We manage the machine with the private key. We keep control of the key. [-] We manage the machine with the private key. We're developers, not admins. I would personally prefer 1) because if the git user on fedorahosted is compromised, all bets are off anyway and the concern about a push key to our /mirror/ repo would not be the primary one. But at the same time, I don't feel comfortable doing the decision without asking the list. I also prefer 1). So -- is anyone opposed to me asking fedorahosted.org to generate a keypair and giving us the public key that I would upload to github? Thanks! [*] github has gained enough traction already, so they don't care about this functionality anymore.. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org