-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crates.io releases? #1092
Comments
Support for SSH access using local keys will likely be removed soon. Currently SSH fetch is supported with SSH agent forwarding in the latest docker image, but not push yet. |
About the initial question: We currently don't release to crates.io anymore and I don't think it really makes sense for the proxy. |
Oh, that would be a bummer. :/ |
The main reason for that is that it’s insecure, and that SSH agent forwarding fully covers all potential use cases. You can even try it with the latest container by overriding GIT_SSH_COMMAND to enable ssh ForwardAgent option |
I don't see how it is insecure for josh to just run as my user ID and do a |
It’s insecure because when deployed, it lets users to essentially bypass authentication by using the key on the server. as for docker requirement, unfortunately it is there to stay. We can’t even guarantee josh will always be fully functional when run as a single process - simply because it needs additional services to work, hence the multi-service container. Docker is a more or less industry standard, so I can’t really see how it makes things complicated. one thing you could try is just build a container from a given commit sha locally and then run it |
Ah sure, on a server it shouldn't use the local keys. In the docker container there won't be any local keys anyway. When running it locally however, it using my keys seems fine? Though maybe I should use josh-filter instead -- we went for the proxy as that's what the documentation mostly talks about. Does josh-filter have support for caching?
🤷 I still find docker pretty complicated and struggle each time I have to use it (which is rare). It's whole set of custom terminology, tons of implicit global state, and fairly poor UI don't help. I totally believe that if you use it all the time, it all makes sense and you know how to circumnavigate its rough edges, but for occasional use I find it fairly annoying. |
Yeah locally using locally available keys makes more sense. And you’re right that this might not be the best use of a proxy. I don’t think josh-filter has cache but maybe @christian-schilling can correct me |
Would it help if there was a script or something in the repo for building and running release containers? Currently we have one for test containers but not for release |
I mean, the one-liner is not so bad:
The problem is all the "things around" the container, which will be hard to put into a script -- things like #1089. (It took me quite a while to figure out that adding And then there is the authentication problem, as we discussed in #1089. Though for a docker container I run locally I'd be fine giving it access to my ssh-agent (however that would work). |
It looks to me that the whole "service in a container" thing is really not that ideal for your use case. It's not really what the proxy is intended to be used for. Having a CLI that just does the filtering without the whole container/network/auth stuff would be much easier to handle. |
I don't see a way to set the cache to be used by josh-filter though? Even for the "fetch" side, I assume we'd have to arrange a bunch of things ourselves, like getting the upstream rustc commits into a local repo, and then getting the transformed commits into the Miri repo... the proxy interface is taking care of these things quite nicely. |
The fact that the version on crates.io is ancient is a big footgun: people run For anyone else reading along, we use the following command for install josh for Miri and it works great:
(You may want to bump the tag in the future, when there is a new release.) |
Correction -- the outdated versions did not just cause hours of debugging, but permanently unfixable issues since broken history has been pushed into a repo where force pushes are an absolute no-go. :( @christian-schilling it would really be better to jank the old broken versions. Or, even better, to release fixed versions on crates.io. :) |
Or at least bump the versions in Cargo.toml in the repo - it's confusing that they have the same versions as the code on crates.io, although the code in the repo is 2 years newer. |
See comment on #1409 |
Looks like the latest josh release is not yet at https://crates.io/crates/josh. Are new releases usually put there?
When using josh as a docker image it cannot access my SSH keys for pushing, so I plan to change our instructions to install josh via
cargo install
instead, but currently we have to do that from the git repo since the crates.io version is outdated. Hence the question.The text was updated successfully, but these errors were encountered: