1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
EndoForge
===================
### A `Self-Forge`
Convert any Git repository into a `Self-Forge` with a simple setting change.
Synopsis:
```
git config core.self-forge true
```
Install `EndoForge`:
```
make install
```
## WHAT IS A `Self-Forge`
A `Self-Forge` is a `Git` repository that allows anonymous contribution directly
through the `Git-Over-SSH` protocol. Each contributor is directly validated with
`OpenSSH` cryptography.
A `Self-Forge` relieves the owner of the repository and the repository's other
contributors from all needing to share a common "hub" `Forge` before the owner
can accept a contribution. Instead, users need only `IP` connectivity to the
machine containing the repository.
The contributions are stored in namespaces according to the public keys of the
contributors. This prevents collisions.
(It is also possible to do _without_ `IP` connectivity using DHT connectivity;
see `tuntox.git`.)
## WHAT IS A `Forge`
A `Forge` is a "place" where programmers share source code. (Anyone could share
any content, in principle. The point is to track past changes.) The largest
`Forge`, for example, is Microsoft's `GitHub`.
Note that a `Forge` is different from a web site. A `Git`-based `Forge` must
accept contributions in the `Git-Over-SSH` protocol. That is the convenient and
standard way to use `Git`.
Nevertheless, the typical `Forge` requires users to go sign up for some web
service before they can connect using `Git`'s native language of `SSH`.
`EndoForge` uses the key provided by the `SSH` client.
Using a `Self-Forge` relieves users of dependency on any troublesome
intermediary `Forge`. You get your own `Forge`. You are your own `Forge`.
## What is `Git-Over-SSH`
`Git-Over-SSH` is the standard `Git` protocol for _both reading and writing_ a
repository. It is the same `Git` protocol one uses when _pushing_ to
`github.com` or any other `Git`-based `Forge`.
`Git` has other protocols for read-only access, including `Git-Over-HTTPS`. That
type of access to a `Git` repository, including domain name and CA certificate,
can be provided via `CGit` by running `selfpublish.sh`.
HOW TO ACCESS A SELF-FORGE
--------------------------
Users can run `git clone` on your `SSH` address, like this:
[TODO: edit document dynamically to get real values here]
```
git clone $(id -u)@$(hostname):$(pwd)
```
They can then commit changes to the repository, and push them back to `origin`.
The changes will exist in a separate space from where any other user can
overwrite. The cryptography of `OpenSSH` makes this possible.
HOW IT WORKS
------------
Normally, `OpenSSH` server only permits connections from users whose keys have
been pre-authorized on the server. `OpenSSH` assumes that access should be
closed to new users. Installing `EndoForge` modifies the `OpenSSH` server
configuration so that this assumption is reversed. Access is opened to unknown
users.
Anonymous users are forced to run the command `~/.ssh/AnonymousAccessCommand`
upon login, instead of whatever command they select for themselves. The user can
choose or configure their `AnonymousAccessCommand` to provide sandboxing, or to
implement a user authentication scheme in some flexible way.
`EndoForge` installs a `~/.ssh/AnonymousAccessCommand` that allows anonymous
users to run the `Git` protocol commands (`git-receive-pack`, etc.) to access
repositories available on the system. A repository must be configured
`core.self-forge true` to allow this access.
INSTALLATION
--------------
Run:
```
make install
```
This installs the `AnonymousAccessCommand` in the current user's home directory
(under `$HOME/.ssh`).
Then, if sudo access is available, it enables anonymous access by editing the
system `OpenSSH` configuration. This allows any user to listen for `SSH`
connections via the file `$HOME/.ssh/AnonymousAccessCommand`.
Finally, the command to enable public access to the `Self-Forge` may be run:
Run:
```
git config core.self-forge true
```
Note that, once installed, you can run this in ANY repository.
You can also run `make shared` but that just runs the same `git config` for you.
## HOW TO DISABLE
To disable public access to the repository, run:
```
git config core.self-forge false
```
NON-ROOT INSTALLATION
---------------------
A systemd unit file to run `OpenSSH` as an unprivileged user is included.
The configuration file sets the port to `22022`.
This type of installation is vastly inferior to one requiring root, because
`OpenSSH` is much easier to connect to servers that listen on port `22` than any
other port.
The `install-user` target runs the unprivileged `OpenSSH` server.
```
make install-user
```
The script `selftest.sh` tests connecting to the port 22022 server.
|
