"hg archive" with remote URL

Mutlu Dogruel mutludogruel at gmail.com
Fri Aug 9 13:52:13 UTC 2013


On 9 Aug 2013, at 13:32, "Kastner Masilko, Friedrich" <kastner-masilko at at.festo.com> wrote:

>> From: Mutlu Dogruel [mailto:mutludogruel at gmail.com]
>> 
>> I think you misunderstood. I was talking about automatic deployment as
>> in Opscode Chef cookbooks in which there is no manual installing as
>> such. Basically, it's a script running on a remote machine that does
>> all the installations, fetching code from repositories etc. It makes it
>> easy to setup clusters in cloud computing platforms, for example. If
>> you are using the "curl" solution, you have to pass the user name &
>> password to the script somehow (one solution is the use of encrypted
>> databags in Chef recipes). But ideally, key-based authentication would
>> work best in such setups. Having to manage temporary user names &
>> passwords on a project basis is not an elegant solution.
> 
> I don't know. IMHO it doesn't really matter if it is a user machine - where the user has to install a DVCS manually and invoke the download manually - or a remote machine, where everything is done by your script. Your initial question used git's remote-archive feature as example, so how would git have been installed on the remote machine? Do you simply assume it is? Without the DVCS on the remote machine, a script running a DVCS command can't work. This is what I meant with having wget/curl being a better option, as those tools work as HTTP(S) tools and not as DVCS, with the later not really being the feature set you need for a download operation.
> 
> Besides this, wouldn't you have to embed/transfer the relevant key part, too? Is this really that different from embedding/transferring user/password? Or do you assume that the key is installed on all remote machines already?
> 
> I'd also say that in your case it would of course make more sense to use only one temporary user for this, just as you would use only one key-pair.
> 
> Maybe I'm missing something essential here (given that I don't know Chef too well), but from the general standpoint I don't understand your statement about key-based authentication working best in this situation.
> 
> Regards,
> Fritz
> 
> 


Dear Fritz,

I don't want to be off topic, but Chef installs the necessary packages. If you use a git Chef recipe involving fetching some source code, it installs the correct package for git behind the scenes (using apt-get or yum or whatever is appropriate) before executing the required git command. In this scenario, "git archive URL" makes sense. This way, we are not cloning entire repositories. Job done. I don't mind installing hg or git just for the sake of grabbing the latest snapshot of a repo. It's not a big deal, they are lightweight, and it's done by Chef.

If using a user name & password with curl, instead of the more secure ssh keys, first of all, you have to make sure curl is installed on the remote machine, secondly and more importantly, the command line history and the Chef logs will contain those lines showing your password in plain text! I am not claiming using user name & password with curl won't work. It does, as I wrote in my previous message. Chef itself, too, works with ssh keys, and this is what we prefer as well. For this reason, instead of using curl, we will be doing "hg clone, hg archive and rm .hg" for now.

Regards,
Mutlu


More information about the Mercurial mailing list