"hg archive" with remote URL
Kastner Masilko, Friedrich
kastner-masilko at at.festo.com
Fri Aug 9 15:02:14 UTC 2013
> From: Mutlu Dogruel [mailto:mutludogruel at gmail.com]
>
> I don't want to be off topic, but Chef installs the necessary packages.
I don't think explaining your use case a bit further is off topic here. Remember that people on the Mercurial mailing list don't necessarily know all about automation platforms. Without really understanding your use case it is harder to give a good answer.
> If you use a git Chef recipe involving fetching some source code, it
> installs the correct package for git behind the scenes (using apt-get
> or yum or whatever is appropriate) before executing the required git
> command. In this scenario, "git archive URL" makes sense. This way, we
> are not cloning entire repositories. Job done. I don't mind installing
> hg or git just for the sake of grabbing the latest snapshot of a repo.
> It's not a big deal, they are lightweight, and it's done by Chef.
That's clear to me. Still I think wget and such is more lightweight than git or hg.
> If using a user name & password with curl, instead of the more secure
> ssh keys, first of all, you have to make sure curl is installed on the
> remote machine, secondly and more importantly, the command line history
> and the Chef logs will contain those lines showing your password in
> plain text! I am not claiming using user name & password with curl
> won't work. It does, as I wrote in my previous message. Chef itself,
> too, works with ssh keys, and this is what we prefer as well. For this
> reason, instead of using curl, we will be doing "hg clone, hg archive
> and rm .hg" for now.
Ah, I think I see your point now: you already have an SSH key on your machine (for Chef to work), and you want to re-use that.
In this case the logs containing the password is not so big of a problem if they have the same viewing rights as the .ssh files. The key to get to the repo is already on the machine, so I think in terms of security you are on par with the password method. IMHO there is no difference between getting the password from a log and having the key right there in the .ssh directory. But I can understand that you are concerned about having them transmitted over the wire in first place.
That said, wget offers the possibility to use a file for user/password settings. If you have to pre-install SSH keys on the remote machine for Chef to work, how about pre-installing a user/password file along with them? You could e.g. create a .wgetrc like so:
user = CompanyChef
password = <Lets_just_use_some_hash_here>
and then issue this in the script:
wget https://bitbucket.org/company/secretrepo/get/tip.zip
I just tried that and it works like a charm. Maybe you can forward such ideas to the BB team, who knows what clever solution they could work out with them?
Regards,
Fritz
Development Software Systems
Festo Gesellschaft m.b.H.
Linzer Strasse 227
Austria - 1140 Wien
Firmenbuch Wien
FN 38435y
UID: ATU14650108
Tel: +43(1)91075-198
Fax: +43(1)91075-282
www.festo.at
Der Inhalt dieser E-Mail und moeglicher Anhaenge sind ausschliesslich fuer den bezeichneten Adressaten bestimmt.
Jede Form der Kenntnisnahme, Veroeffentlichung, Vervielfaeltigung oder Weitergabe des Inhalts dieser E-Mail und
moeglicher Anhaenge durch unberechtigte Dritte ist unzulaessig. Wir bitten Sie, sich mit dem Absender der E-Mail in
Verbindung zu setzen, falls Sie nicht der Adressat dieser E-Mail sind sowie das Material von Ihrem Computer zu loeschen.
This e-mail and any attachments are confidential and intended solely for the addressee. The perusal, publication, copying or
dissemination of the contents of this e-mail by unauthorised third parties is prohibited. If you are not the intended recipient of this
e-mail, please delete it and immediately notify the sender.
More information about the Mercurial
mailing list