git-repo-updater: remotes cannot be fetched if the server requires GSSAPI authentication

[bdesham]

Describe the bug

git-repo-updater is unable to update a certain Git repository, giving the output

$ cd /s/project1; gitup .
gitup: the git-repo-updater

/s/project1 (1 repo):
    project1:
        Fetching origin: error: Could not read from remote repository. Please
        make sure you have the correct access rights and the repository exists.

The remote in question looks like

$ git remote get-url origin
git@git.company.com:project1/project1.git

This host requires an SSH key for authentication. If I try to do a plain git fetch, then I may or may not be prompted for my SSH key password (depending on whether I’ve added my password to the SSH agent), but gitup is not even prompting for my password: it’s just failing, even if the key has already been added. In other words, it’s impossible to fetch from this server using gitup. (I believe gitup is calling git fetch under the covers, though there might be one or two Python libraries in between.)

This problem seems to be specific to Nix-installed gitup on Linux (I’m on CentOS). When I try this with a “normally-installed” gitup, or when I try to update the same repository (with the same remote URL) from a Nix-installed gitup on my Mac, it works fine.

To Reproduce

Steps to reproduce the behavior:

1. nix-env -i -A nixpkgs.git-repo-updater
2. cd into an affected Git repository
3. gitup .

Expected behavior

The remote in question requires an SSH key for authentication. If the appropriate SSH key has already been added to the SSH agent, then the gitup . command shown above should fetch from each remote in turn, update the local branches, and then exit with a 0 status.

If the SSH key has not been added, then I expect a password prompt before the update can continue:

gitup: the git-repo-updater

/s/project1 (1 repo):
    project1:
        Fetching originEnter passphrase for key '/Users/me/.ssh/git_key':

Additional context

I am the maintainer of the git-repo-updater derivation. I haven’t been able to solve this problem after several casual attempts, so I thought I should open this ticket in case someone else runs into the same problem. I’m sorry this report is so vague so far!

Metadata

• system: "x86_64-linux"
• host os: Linux 3.10.0-693.21.1.el7.x86_64, CentOS Linux, 7 (Core)
• multi-user?: no
• sandbox: no
• version: nix-env (Nix) 2.3
• channels(besham): "nixpkgs-20.03pre193309.c4196cca9ac"
• nixpkgs: /home/besham/.nix-defexpr/channels/nixpkgs

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute: git-repo-updater

[bdesham]

This is the same issue as #58132: git-repo-updater is being built with a version of OpenSSH that doesn’t support GSSAPI, but GSSAPI is needed to talk to the server in question. Since I’m on a non-NixOS Linux, I worked around the issue by adding

export GIT_SSH=/path/to/good/ssh

to my shell’s startup file, where /path/to/good/ssh is a non-Nix-provided SSH binary that does include GSSAPI support. This makes things work both for git-repo-updater and for Git itself.

Edit: I’m not sure that GSSAPI was actually the problem, but using a different SSH binary changed something that made this start working for me.