Browse files

the dupkeys function was already in ssh-authkeys... there's no need for the VREF.

Ironically, while I was arguing with Eli that I wouldn't do it and why,
the code was *already* there, and had been for over a month!  (It must
have been there for much longer for me to have forgotten!)

TODO: convert from using fingerprint compute to actual key strings when
the complaints about speed start appearing.

My own personal speed up loop [1] I guess :)

  • Loading branch information...
1 parent 699bafa commit fa2893be7c45ac17bac6da570f3270f0e0210103 @sitaramc committed May 6, 2012
Showing with 1 addition and 52 deletions.
  1. +1 −7 doc/vref.mkd
  2. +0 −45 src/VREF/DUPKEYS
@@ -16,12 +16,6 @@ Here's an example to start you off.
Now dev2 and dev3 cannot push changes that affect more than 9 files at a time,
nor those that have more than 3 new files.
-Another example is detecting duplicate pubkeys in a push to the admin repo:
- repo gitolite-admin
- # ... normal rules ...
- - VREF/DUPKEYS = @all
## rule matching recap
@@ -63,7 +57,7 @@ the VREF only in "deny" rules.
This in turn means any existing update hook can be used as a VREF *as-is*, as
long as it (a) prints nothing on success and (b) dies on failure. See the
-email-check and dupkeys examples later.
+email-check example later.
## how it works -- overview
@@ -1,45 +0,0 @@
-# gitolite VREF to detect duplicate public keys
-# see gitolite doc/vref.mkd for what the arguments are
-# git sets this; and we don't want it at this point...
-unset GIT_DIR
-# paranoia
-set -e
-# setup the temp area
-export tmp=$(mktemp -d -t gl-internal-temp-repo.XXXXXXXXXX);
-trap "rm -rf $tmp" EXIT;
-git archive $sha keydir | tar -C $tmp -xf -
- # DO NOT try, say, 'GIT_WORK_TREE=$tmp git checkout $sha'. It'll screw up
- # both the 'index' and 'HEAD' of the repo.git. Screwing up the index is
- # BAD because now it goes out of sync with $GL_ADMINDIR. Think of a push
- # that had a deleted pubkey but failed a hooklet for some reason. A
- # subsequent push that fixes the error will now result in a $GL_ADMINDIR
- # that still *has* that deleted pubkey!!
- # And this is equally applicable to cases where you're using a
- # post-receive or similar hook to live update a web site or something,
- # which is a pretty common usage, I am given to understand.
-cd $tmp
-for f in `find keydir -name "*.pub"`
- ssh-keygen -l -f "$f"
-done | perl -ane '
- die "FATAL: $F[2] is a duplicate of $seen{$F[1]}\n" if $seen{$F[1]};
- $seen{$F[1]} = $F[2];
-# as you can see, a vref can also 'die' if it wishes to, and it'll take the
-# whole update with it if it does. No messing around with sending back a
-# vref, having it run through the matches, and printing the DENIED message,
-# etc. However, if your push is running from a script, and that script is
-# looking for the word "DENIED" or something, then this won't work...

0 comments on commit fa2893b

Please sign in to comment.