[tor-bugs] #23756 [Core Tor/Tor]: tor's .gitlab-ci.yml is doing mirroring? why?

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Oct 4 00:53:36 UTC 2017


#23756: tor's .gitlab-ci.yml is doing mirroring? why?
------------------------------+--------------------------------
     Reporter:  isis          |      Owner:  (none)
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:  Tor: 0.3.1.x-final
    Component:  Core Tor/Tor  |    Version:  Tor: 0.3.1.3-alpha
     Severity:  Normal        |   Keywords:  tor-ci
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+--------------------------------
 Currently in master we have the following stanza in our .gitlab-ci.yml
 (from #22891):

 {{{
 update:
   script:
     - "apt-get install -y --fix-missing git openssh-client"

     # Run ssh-agent (inside the build environment)
     - eval $(ssh-agent -s)

     # Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent
 store
     - ssh-add <("$DEPLOY_KEY")

     # For Docker builds disable host key checking. Be aware that by adding
 that
     # you are suspectible to man-in-the-middle attacks.
     # WARNING: Use this only with the Docker executor, if you use it with
 shell
     # you will overwrite your user's SSH config.
     - mkdir -p ~/.ssh
     - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking
 no\n\n" > ~/.ssh/config'
     # In order to properly check the server's host key, assuming you
 created the
     # SSH_SERVER_HOSTKEYS variable previously, uncomment the following two
 lines
     # instead.
     - mkdir -p ~/.ssh
     - '[[ -f /.dockerenv ]] && echo "$SSH_SERVER_HOSTKEYS" >
 ~/.ssh/known_hosts'
     - echo "merging from torgit"
     - git config --global user.email "labadmin at oniongit.eu"
     - git config --global user.name "gitadmin"
     - "mkdir tor"
     - "cd tor"
     - git clone --bare https://git.torproject.org/tor.git
     - git push --mirror git at oniongit.eu:network/tor.git
 }}}

 Why are we doing this? Can we put a cronjob on the oniongit.eu server
 instead? It's pretty weird and frankly unexpected that my personal fork of
 tor at https://gitlab.com/isis/tor is cloning the official tor repo and
 then trying to mirror it to oniongit.eu. It also has a bunch of other
 problems:

 * The `ssh-add` line [https://gitlab.com/isis/tor/-/jobs/34990901 is
 broken, causing CI to fail because it sits there forever waiting for a
 passphrase].

   I was originally going to patch the `ssh-add` line to instead be `[[ -n
 "${DEPLOY_KEY}" -a -r "$DEPLOY_KEY" ]] && ssh-add "$DEPLOY_KEY" <<<""` but
 if I fix that, then all the rest of this script would run, so I'm rather
 glad it's failing on a more innocuous command.

 * Even if the `ssh-add` line weren't broken, this whole thing fails unless
 it's being run from a fork on oniongit.eu.
 * Why is it disabling SSH hostkey checking?!
 * Why is it making the `~/.ssh` directory twice?
 * Why is it assuming that environment variables are set? e.g. `$FOO`
 versus `${FOO}` or better `test -n ${FOO}`
 * Why is it unconditionally setting (global!) git config options? (I
 assume to disable the warning that git spits out when you don't have
 `$GIT_{AUTHOR,COMMITTER}_{NAME,EMAIL}` set, but why would a CI config set
 them globally instead of just setting the correct environment variables?)
 * Why are the mirror URLs hardcoded?
 * Why is the git username and email hardcoded?
 * Why is any of this even running when I push to
 https://gitlab.com/isis/tor?
 * Why is it unconditionally starting an ssh-agent?


 I'm sorry if this is all necessary and I'm just not understanding the
 setup, but it's all just extremely unexpected behaviour from what is
 supposed to be a CI config file. Further, it's not even doing the same
 testing as our .travis.yml, but I'll make another ticket for that issue.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23756>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list