First git based automated build

Derek Atkins warlord at MIT.EDU
Mon Aug 13 09:40:17 EDT 2012 

Hi,

Geert Janssens <janssens-geert at telenet.be> writes:

> On 13-08-12 00:47, Derek Atkins wrote:
>>
>> Geert, nice work. Glad we have that working.  One step closer.
>
> The only thing that still has to happen here is to activate git based
> builds in daily_build.bat. Is it ok if I do so (only for trunk
> obviously) ?

For now, yes.  But I think we will need to figure out how to do the tag
builds too.

>> John, I see only two reasonable options, github or code.gnucash.org. I think both sf and gnome are non starters. Github is an option because some devs are already using it. I don't know if it can provide all the hooks we want, such as port knockers to kick off updates of web servers and such.
>
> I found two plugins on Github [1] I consider useful in this respect:
> - Mail: this plugin sends a mail to one or more e-mail addresses of
> choice on each push to the repo. This could possibly replace the
> commit hooks that trigger mails to gnucash-changes and
> gnucash-patches. The mail format is different from the mails we
> currently send, but sufficient in my personal opinion. I'll attach an
> example so others can have a look as well.
> - WebHook URLs: a generic plugin that will hit a chosen URL with a
> POST request. The post payload is json coded information on the
> commits that were pushed. We could set this up to trigger a service on
> code.gnucash.org, which can then decide to do whatever, including
> sending e-mails on mailing lists, kicking off a webserver
> update,... The public IP's used by GitHub for this Web trigger are
> published, so the risk of anyone spoofing the trigger is limited (no
> I'm not a security expert).

The current triggers are all "security through obscurity" anyways.
That's why they are hidden.  It's basically a netcat to a magic port and
sending a magic string.  That notifies e.g. www.gnucash.org to perform
an svn update in the htdocs tree.

Webhook might work, but I suspect it would have to be "visible" so
anyone would know what the magic sauce is.  Security would be completely
by source IP address, and that presupposes we could get the web service
backend to notice the source IP.  (I'm sure it's possible, but it's
harder than just a raw firewall rule to prevent access to anything but
known IPs).

> All the other plugins are written to integrate with loads of other
> public services, both social or dev related. I don't think they will
> be of much help for our current config.
>
> Geert
>
> [1] https://github.com/Gnucash/gnucash/admin/hooks

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the gnucash-devel mailing list