Skip to content
Commits on Apr 22, 2010
  1. the most common problems an admin will see

    an admin who refuses to read messages that show up on the screen, that is ;-)
    committed Apr 22, 2010
Commits on Apr 20, 2010
  1. Merge branch 'master' into pu

    committed Apr 20, 2010
  2. (security) a different fix in place of 5fd9328

    SECURITY NOTE: if you deleted or renamed a pubkey file after 5fd9328
    went in (April 12th), please:
      - upgrade asap, then
      - go to your latest gitolite-admin clone and "git push -f"
    Otherwise this is not urgent.
    5fd9328 (and its minor successor 813a2a9) were about preventing the
    gitolite admin from sneaking in files to src/ and hooks/ into
    $GL_ADMINDIR.  It seemed easy enough to do this by converting the
    path-less checkout to a with-paths checkout, but this has caused a worse
    problem -- deleting a keydir/ now no longer has an effect; the
    file still hangs around in the work tree.
    Ouch!  (and thanks to teukka for noticing)
    We now do this check as a separate step, so the checkout can revert to
    being path-less.
    committed Apr 20, 2010
Commits on Apr 19, 2010

    I just got tired of supporting old gits.  Sorry.  Had to happen sooner
    or later.
    I know you feel upset right now but later you'll thank me.
    committed Apr 19, 2010
Commits on Apr 16, 2010
  1. make "expand" also print version, like "info" does

    (thanks to Ilari for catching this)
    committed Apr 16, 2010
  2. @sschuberth

    Do not override the SSH port if standard port 22 is used

    Always passing "-p 22" to ssh (or "-P 22" to scp) if no custom port is given on
    the command line causes trouble when not using a host name but an SSH session
    name (as defined in .ssh/config) which defines a non-standard port, because the
    port given on the command line overrides that port.
    Signed-off-by: Sebastian Schuberth <>
    sschuberth committed with Apr 16, 2010
Commits on Apr 15, 2010
  1. "D" must be combined with RW or RW+ (warning: minor backward compat b…

    Having to specify "D" separately from RW or RW+ was cumbersome, and
    although I don't actually use this feature, I can see the point.
    One way to think of this is:
      - RW and RW+ were the only existing branch level rights
      - it doesnt make sense to have D rights without W (hence RW) rights
      - so we simply suffix a D to these if required.
    Thus you can have RW, RW+, RWD, RW+D.
    I hope the (hopefully few) of you who have started to use this feature
    will convert your configs when you next upgrade to "pu".
    I now regret pushing the previous syntax to master too quickly -- lots
    of people use master only, and on the next promotion of pu the syntax
    will change.  To reduce this exposure, this change will be promoted to
    master very soon.
    committed Apr 15, 2010
Commits on Apr 14, 2010
  1. (minor) document what to do when you have *two* gits

    ...and the wrong one ends up runing
    committed Apr 14, 2010
  2. (minor fixup)

    committed Apr 14, 2010
  3. added gerrit comparision

    committed Apr 14, 2010
Commits on Apr 13, 2010
  1. document the change in a982446

    (thanks to Eli for catching this!)
    committed Apr 13, 2010
  2. changelog for v1.4

    committed Apr 13, 2010
  3. allow user to define filenames that our hooks chain to

    (although the defaults are still update.secondary and
    post-update.secondary if you don't do anything)
    committed Apr 13, 2010
Commits on Apr 12, 2010
  1. (ls-tree has --name-only now!)

    thanks to Teukka for pointing it out
    committed Apr 12, 2010
  2. "accidental [mis]feature" -- yet another admin->shell hole blocked!

    This is a pretty big hole, really.  Only the fact that Eli called it an
    "accidental feature" helped catch it :)
    Notes on the code:
    An explicit list of paths -- maybe just "conf", "keydir", and "local" --
    would have been easier, but this isn't too bad, I think.
    committed Apr 12, 2010
Commits on Apr 10, 2010
  1. document how to create multiple gitolite instances on one server...

    ...and provide a pointer from the delegations doc for people taking
    delegation too far ;-)
    committed Apr 11, 2010
Commits on Apr 9, 2010
  1. bypass update hook if GL_BYPASS_UPDATE_HOOK is available in ENV

    people with shell access should be allowed to bypass the update hook, to
    allow them to clone locally and push.  You can now do this by setting an
    env var that the ssh "front door" will never set, like so:
        GL_BYPASS_UPDATE_HOOK=1 git push
    Note that this will NOT work for the gitolite-admin repo, because the
    post-update hook on that one requires a bit more.  If you really want to
    do that, try:
        GL_ADMINDIR=~/.gitolite GL_BINDIR=~/.gitolite/src GL_BYPASS_UPDATE_HOOK=1 git push
    (assuming default values in ~/.gitolite.rc)
    committed Apr 9, 2010
  2. new server-side program "gl-tool", subcommand "shell-add"

    Previous implementations of "give shell access to some gitolite users"
    feature were crap.  There was no easy/elegant way to ensure that someone
    who had repo admin access would not manage to get himself shell access.
    Giving someone shell access requires that you should have shell access
    in the first place, so the simplest way is to enable it from the server
    side only.
    So now that we decided to do that, we may as well prepare for other,
    future, commands by starting a server-side utility program with
    sub-commands (the only current one being "shell-add")
    committed Apr 9, 2010
  3. security: gitolite admin can get shell access by using screwy pubkey …

    example: keydir/sitaram@$(some-dangerous-command; echo hi).pub
    (still won't get the reward; that is only if a non-admin user gets
    committed Apr 9, 2010
Commits on Mar 31, 2010
  1. allow 'D' for @all repos that the new semantics can be made system-default if someone wants
    to do that
    committed Mar 31, 2010
Commits on Mar 30, 2010
  1. compile/update: new "D" permission

    normally, RW+ means permission to rewind or delete.
    Now, if you use "D" permission anywhere in a repo config, that means
    "delete" and RW+ then means only "rewind", no delete.
    committed Mar 30, 2010
Commits on Mar 29, 2010
  1. auth, do not leak info about repo existence

    All this is about a user trying to look if a repo exists or not, when he
    does not have any access to that repo.  Ideally, "repo does not exist"
    should be indistinguishable from "you dont have perms to that repo".
    (1) if $GL_WILDREPOS is not set, you either get a permissions error, or
        a "$repo not found in compiled config" death.  Fixed.
    (2) if $GL_WILDREPOS is set, you either get either a permissions error,
        or a "$repo has no matches" death.  Fixed.
    (3) The following combination leaks info about repo existence:
          - actual repo doesn't exist
          - spying user don't have C perms
          - repo patt doesn't contain CREATER
          - RW+ = CREATER is specified (as is normal)
        In such case, the "convenience copy" of the ACL that parse_acl
        makes, coupled with substituting CREATER for the invoking user means
        $repos{$actual_repo} has RW+ for the spying user.  This means the
        access denied doesn't happen, and control passes to git, which
        promptly expresses it unhappiness and angst over being given a repo
        that 'does not appear to be a git repository'
        This doesn't happen if all those conditions are not met:
          - if repo exists, CREATER is set to the real creater, so RW+ =
            CREATER does not gain spying user anything
          - if spying user has C perms it just gets created, because he has
            rights.  This is also info leak but we can't prevent it; tighten
            the config (maybe by including CREATER in repo pattern) if this
            is not wanted
          - if repo patt contains CREATER it will never match someone else's
            repo anyway!
    committed Mar 28, 2010
Commits on Mar 28, 2010
  1. doc/4: added "how it actually works" section

    thanks to Ilari for helping fix a bug (see previous commit) and then
    prompting this documentation
    committed Mar 28, 2010
Commits on Mar 27, 2010
  1. auth: do not implicitly assign RW access for creaters

    a configuration like this:
        repo CREATER/.*
            C       =   CREATER
            RW+     =   WRITERS
    was buggy; CREATER was implicitly part of WRITERS so he got RW
    permissions implicitly, so the push went through
    committed Mar 27, 2010
Commits on Mar 26, 2010
  1. silly little PATH bug...

    what this means is that until now, everyone who used easy-install
    (without needing to set $GIT_PATH in the rc file) had a client-side PATH
    that was perfectly valid on the server side also!
    committed Mar 26, 2010
  2. @all for repos is now much cleaner; a true @all...

      - no need to put it at the end of the config file now, yeaaay!
      - @all for @all is meaningless and not supported.  People asking will
        be told to get a life or use git-daemon.
      - NAME/ limits for @all repos is ignored for efficiency reasons.
    committed Mar 23, 2010
Something went wrong with that request. Please try again.