[tor-bugs] #23756 [Core Tor/Tor]: tor's .gitlab-ci.yml is doing mirroring? why?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Oct 4 00:53:36 UTC 2017
#23756: tor's .gitlab-ci.yml is doing mirroring? why?
------------------------------+--------------------------------
Reporter: isis | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.3.1.x-final
Component: Core Tor/Tor | Version: Tor: 0.3.1.3-alpha
Severity: Normal | Keywords: tor-ci
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+--------------------------------
Currently in master we have the following stanza in our .gitlab-ci.yml
(from #22891):
{{{
update:
script:
- "apt-get install -y --fix-missing git openssh-client"
# Run ssh-agent (inside the build environment)
- eval $(ssh-agent -s)
# Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent
store
- ssh-add <("$DEPLOY_KEY")
# For Docker builds disable host key checking. Be aware that by adding
that
# you are suspectible to man-in-the-middle attacks.
# WARNING: Use this only with the Docker executor, if you use it with
shell
# you will overwrite your user's SSH config.
- mkdir -p ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking
no\n\n" > ~/.ssh/config'
# In order to properly check the server's host key, assuming you
created the
# SSH_SERVER_HOSTKEYS variable previously, uncomment the following two
lines
# instead.
- mkdir -p ~/.ssh
- '[[ -f /.dockerenv ]] && echo "$SSH_SERVER_HOSTKEYS" >
~/.ssh/known_hosts'
- echo "merging from torgit"
- git config --global user.email "labadmin at oniongit.eu"
- git config --global user.name "gitadmin"
- "mkdir tor"
- "cd tor"
- git clone --bare https://git.torproject.org/tor.git
- git push --mirror git at oniongit.eu:network/tor.git
}}}
Why are we doing this? Can we put a cronjob on the oniongit.eu server
instead? It's pretty weird and frankly unexpected that my personal fork of
tor at https://gitlab.com/isis/tor is cloning the official tor repo and
then trying to mirror it to oniongit.eu. It also has a bunch of other
problems:
* The `ssh-add` line [https://gitlab.com/isis/tor/-/jobs/34990901 is
broken, causing CI to fail because it sits there forever waiting for a
passphrase].
I was originally going to patch the `ssh-add` line to instead be `[[ -n
"${DEPLOY_KEY}" -a -r "$DEPLOY_KEY" ]] && ssh-add "$DEPLOY_KEY" <<<""` but
if I fix that, then all the rest of this script would run, so I'm rather
glad it's failing on a more innocuous command.
* Even if the `ssh-add` line weren't broken, this whole thing fails unless
it's being run from a fork on oniongit.eu.
* Why is it disabling SSH hostkey checking?!
* Why is it making the `~/.ssh` directory twice?
* Why is it assuming that environment variables are set? e.g. `$FOO`
versus `${FOO}` or better `test -n ${FOO}`
* Why is it unconditionally setting (global!) git config options? (I
assume to disable the warning that git spits out when you don't have
`$GIT_{AUTHOR,COMMITTER}_{NAME,EMAIL}` set, but why would a CI config set
them globally instead of just setting the correct environment variables?)
* Why are the mirror URLs hardcoded?
* Why is the git username and email hardcoded?
* Why is any of this even running when I push to
https://gitlab.com/isis/tor?
* Why is it unconditionally starting an ssh-agent?
I'm sorry if this is all necessary and I'm just not understanding the
setup, but it's all just extremely unexpected behaviour from what is
supposed to be a CI config file. Further, it's not even doing the same
testing as our .travis.yml, but I'll make another ticket for that issue.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23756>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list