1 The aurweb Git and SSH interface
2 ================================
7 Since release 4.0.0, aurweb uses Git repositories to store packages. Git
8 namespaces (see gitnamespaces(7)) are used to share the object database, such
9 that delta compression can be applied across package base boundaries.
11 Internally, all packages are stored in a single Git repository. Special refs,
12 so-called namespaced branches, are used to refer to the commits corresponding
13 to the actual package bases. For convenience, we also create a branch for each
14 package repository that carries the name of the corresponding package base,
15 such that one can easily access the history of a given package base by running
16 `git log <pkgbase>`. To the end-user, the individual namespaced branches are
17 presented as separate Git repositories.
19 Authentication: git-auth
20 ------------------------
22 Pushing to package repositories is possible via SSH. In order to access the SSH
23 interface, users first need to add an SSH public key to their account using the
24 web interface. Authentication is performed by the git-auth
25 AuthorizedKeysCommand script (see sshd_config(5) for details) that looks up the
26 public key in the AUR user table. Using this concept of "virtual users", there
27 is no need to create separate UNIX accounts for each registered AUR user.
29 If the public key is found, the corresponding authorized_keys line is printed
30 to stdout. If the public key does not exist, the login is denied. The
31 authorized_keys line also contains a forced command such that authenticated
32 users cannot access anything on the server except for the aurweb SSH interface.
33 The forced command can be configured in the aurweb configuration file and
34 usually points to the git-serve program.
36 The INSTALL file in the top-level directory contains detailed instructions on
37 how to configure sshd(8) to use git-auth for authentication.
42 The git-serve command, the "aurweb shell", provides different subcommands:
44 * The help command shows a list of available commands.
45 * The list-repos command lists all repositories of the authenticated user.
46 * The setup-repo command can be used to create a new repository.
47 * The restore command can be used to restore a deleted package base.
48 * The git-{receive,upload}-pack commands are redirected to git-shell(1).
50 The requested command is extracted from the SSH_ORIGINAL_COMMAND environment
51 variable which is usually set by the SSH daemon. If no command is specified,
52 git-serve displays a message that aurweb does not provide an interactive shell.
54 When invoking git-shell(1), the git-serve command also redirects all paths to
55 the shared Git repository and sets up the GIT_NAMESPACE environment variable
56 such that Git updates the right namespaced branch.
58 The Update Hook: git-update
59 ---------------------------
61 The Git update hook, called git-update, performs several subtasks:
63 * Prevent from creating branches or tags other than master.
64 * Deny non-fast-forwards, except for Trusted Users and Developers.
65 * Check each new commit (validate meta data, impose file size limits, ...)
66 * Update package base information and package information in the database.
67 * Update the named branch and the namespaced HEAD ref of the package.
69 It needs to be added to the shared Git repository, see INSTALL in the top-level
70 directory for further information.
72 Accessing Git repositories via HTTP
73 -----------------------------------
75 Git repositories can also be accessed via HTTP by configuring the web server to
76 forward specific requests to git-http-backend(1). Note that, since Git
77 namespaces are used internally, the web server also needs to rewrite URIs and
78 setup the GIT_NAMESPACE environment variable accordingly before forwarding a
81 An example configuration for nginx and fcgiwrap can be found in the INSTALL
82 instructions in the top-level directory.