[Pidgin] UsingPidginMercurial modified
Pidgin
trac at pidgin.im
Sun Jun 3 22:22:37 EDT 2012
Changed page "UsingPidginMercurial" by rekkanoryo from 71.61.104.159*
Page URL: <http://developer.pidgin.im/wiki/UsingPidginMercurial>
Diff URL: <http://developer.pidgin.im/wiki/UsingPidginMercurial?action=diff&version=3>
Revision 3
Comment: Add some more information about "root" access.
-------8<------8<------8<------8<------8<------8<------8<------8<--------
Index: UsingPidginMercurial
=========================================================================
--- UsingPidginMercurial (version: 2)
+++ UsingPidginMercurial (version: 3)
@@ -70,15 +70,20 @@
=== Adding New Users ===
-The process to allow new users SSH access to the Mercurial repositories is pretty simple, but requires someone with "root" access to mercurial-server. Currently those people are rekkanoryo and lschiere.
+The process to allow new users SSH access to the Mercurial repositories is pretty simple, but requires someone with "root" access to mercurial-server. Currently those people are datallah, rekkanoryo, and lschiere.
1. Check out the `hgadmin` repo: `hg clone ssh://hg@hg.pidgin.im/hgadmin pidgin-hgadmin`
- 1. `cd pidgin-hgadmin/keys`. Inhere is a series of directories. The format is self-explaining. Developers go in `devs/$NICKNAME`, CPW's in `cpws/$NICKNAME`, SoC students in `soc/$NICKNAME`.
- 1. Create the appropriate directory.
- 1. Within this directory create a file named for the SSH key being added, for example `user at somehost`.
- 1. Put the SSH public key in this file.
- 1. `hg add $FILE`
- 1. Go back to the root of `pidgin-hgadmin`.
- 1. Edit `access.conf`. Copy an existing line for the same class of user (developer, CPW, SoC student) and modify it as appropriate for the new person's nickname and, if applicable, SoC year.
- 1. `hg commit`
- 1. `hg push` (mercurial-server updates automatically on push)
+ 1. `cd pidgin-hgadmin/keys`. Inhere is a series of directories. The format is self-explaining. Developers go in `devs/$NICKNAME`, CPW's in `cpws/$NICKNAME`, SoC students in `soc/$NICKNAME`. This is to allow a single developer, CPW, or SoC student to have multiple SSH keys, perhaps for multiple machines.
+ 1. Create the appropriate directory.
+ 1. Within this directory create a file named for the SSH key being added, for example `user at somehost`.
+ 1. Put the SSH public key in this file.
+ 1. `hg add $FILE`
+ 1. Go back to the root of `pidgin-hgadmin`.
+ 1. Edit `access.conf`. Copy an existing line for the same class of user (developer, CPW, SoC student) and modify it as appropriate for the new person's nickname and, if applicable, SoC year.
+ 1. `hg commit`
+ 1. `hg push` (mercurial-server updates automatically on push)
+
+=== A Special Note About "root" Access ===
+As indicated above, people who have "root" access to mercurial-server have the ability to configure the server via the `hgadmin` repo. They also have the ability to bypass all ACL's, and thus can write to any repository, including developers', CPWs', and SoC students' repositories.
+
+Additionally, there is a safety net built into the mercurial-server configuration. In `/etc/mercurial-server` on rock.pidgin.im is a default ACL (`access.conf`) and a `keys` directory structure. This default ACL is what grants "root" users their privileges, and the `keys` directory structure contains two keys in the `keys/root` directory. These two keys belong to rekkanoryo and lschiere. These keys are located here in the server's filesystem instead of in the hgadmin repository as a safety net. When building the files used by mercurial-server, the tools ''always'' read from `/etc/mercurial-server` ''before'' reading from `hgadmin`; this allows rekkanoryo and lschiere to always be able to access the hgadmin repo in the event that it is damaged either through accidental or intentional means. This safety net means that at least two people will ''always'' have access to our repositories.
-------8<------8<------8<------8<------8<------8<------8<------8<--------
* The IP shown here might not mean anything if the user or the server is
behind a proxy.
--
Pidgin <http://pidgin.im>
Pidgin
This is an automated message. Someone at http://pidgin.im added your email
address to be notified of changes on UsingPidginMercurial. If it was not you, please
report to .
More information about the Wikiedit
mailing list