gitolite -- managing multiple git repositories

[this article rated G (Geeks only), GG in some geographies (Git Geeks only)]

Well, after more than a year of using and championing gitosis, I finally got off my duff and created "gitolite".

It is certainly inspired by gitosis's basic ideas, but it lets you specify per-branch permissions -- which is a really big thing and something I am often asked about at work.  It's written entirely in perl (of course), and designed to be installed and used, without needing root access, on any Unix machine that managed to install git and perl.  And I think my config file format is much simpler than gitosis's, but maybe I'm prejudiced :-)

The README (nicely formatted, thanks to github) is at that same URL; just go down the page a little.


what distro do I favour...

[offby1 asked me this in a comment to a previous blog post.  I replied briefly, then realised I had a lot more to say on the subject.]

I've been a Mandrake user since late 99 or early 2000 or so.  I had a brief flirtation with Ubuntu in between, but it didn't work out.

I'm a confirmed KDE fan -- I never liked Gnome philosophically, even before Mono dependencies like F-Spot and Beagle starting becoming standard.  I hate the look and feel, I hate the minimalism, and I really, *really*, hated that if I mounted my home directory temporarily on a colleague's Gnome box using the GUI (sftp://sitaram@my.ip.address), Gnome would remember the credentials for a long time afterward, while KDE would obligingly forget about them immediately.  [Tested again today; Gnome now has a nice button that says "forget password immediately".  Whoo hoo!  But does it forget?  No!  After 2 minutes it still remembered it -- it had kept the VFS session open in the background and just reconnected when the URL was typed in again.  I didn't wait around to see when it expires; I just killed the processes that seemed to have the connection open and changed my password just in case!  Bloody awful security if you ask me...]

Ok where was I... KDE, right...

But recently, having to install MDV 2009.1 on my dad's old clunker made me realise the charms of one of the alternative desktop+WMs.  Specifically, LXDE+openbox -- it's really fast compared to KDE.  And when I tried it on my Core 2 Duo + 2GB desktop, I was surprised to find that it makes a difference even on that, so that's what I use now.

Of course, there are many pieces of KDE I need, and like.  For example, the hardware volume buttons on a laptop only respond when "kmix" is running, so I run kmix.  I still like "konsole" more than "lxterminal".  Then there's Okular, dolphin, gwenview (a KDE program whose name starts with a "G" -- go figure!), krusader, all of which I like very much.  I just no longer run kwin (the window manager) that's all.

In fact, it actually doesn't matter even if I *install* all of KDE -- hard disk space is not the problem.  They just don't get loaded into RAM, that's all.

Downside: I lose all the fancy transparency stuff.  That was cute, and even useful sometimes (like typing something into the bottom window while reading off the top window which was at 75% transparency -- very impressive!) but I can live without it.

...and people wonder why git is so fast

over the past few days, there has been a huge amount of activity on the git mailing list, mostly from Linus himself, over the speed of the SHA-1 routines within git.

Being the "God" he is, one hesitates to call him names like "obsessive compulsive". Thankfully, it looks like he's enough of a human to do that himself :-)

-------- Original Message --------

via Linus' blog by Linus on 8/9/09
I've actually written code lately, although for some reason it's been all these stupid projects. First I needed to fix the kernel tty refcounting, then I got all OCD on the git SHA1 routines.

I don't quite know why I wasted that much time on something as trivial as SHA1 hashing, but it was kind of fun in a "let's use the compiler as a glorified assembler" kind of way. Some people seem to think that C is a real programming language, but they are sadly mistaken. It really is about writing almost-portable assembly language, and it turns out that getting good results from SHA1 really is mostly about trying to fight the compilers tendency to try to be clever.

So here is the current result of me trying to get gcc (well, arguably of it is mostly the C pre-processor, rather than the compiler proper ) to generate good assembly code. On my Nehalem machine (but not Netburst or Atom - poor fragile micro-architectures that they are), it actually seems to outperform the OpenSSL hand-written assembly language implementation.

And once I get rid of libcrypt from openssl, I get rid of two silly runtime loadable libraries that git no longer needs. And that in turn speeds up the test-suite by a couple of seconds.

Did I mention that I seem to have some OCD issues?


yet another reason to not recommend Ubuntu


The first para is quite hard hitting.  And this is from Jon Corbet, the LWN editor, who's much more likely to understate things than otherwise, so that sorta doubles the effect

how to meet a friend you haven't seen for a while

...get your car stuck somewhere close to his home and call him :-)

Thanks, R!


the Whitman defense

"I contradict myself? Very well then I contradict myself. I am large, I contain multitudes."


(from http://arstechnica.com/microsoft/news/2009/08/microsoft-word-1983---2009-rest-in-peace.ars)


how twitter got hacked...


no technical hacking here; very, very simple stuff; please read (especially K)

Step 1:

When you register a new gmail account you give them a "secondary" email.  If you forget your password you can ask gmail to send a "password reset" link to this secondary email.

In this case, the hacker found that

  - his victim had a "hotmail" address as a secondary
  - he had not used that address for years
  - so hotmail had expired/deleted it (I don't blame them on this; even if it is MS!)
  - so anyone was free to register that address again
  - so the hacker simply registered it himself
  - thus getting the "password reset" email for his victim's gmail account :-)

Step 2:

The second part is even simpler.  He needed to reset the password back to what the owner **currently** uses, otherwise the owner would get suspicious (if he was unable to log in next time).  And he needed to do this very quickly.

  - he looked through all the saved email on the hacked gmail account
  - found a few passwords helpfully sent back by various services to which the victim had subscribed
  - gambled that the victim uses the same password for everything
  - and reset the gmail password to that

Step 3:

Once he was sure everything was OK, he just used that same password to access the victim's **official** twitter email.


Who needs cryptography, buffer overflows, complicated shellcode, rootkits, and all that techie stuff when users can be this naive :-)  I mean there's not a byte of code or a mangled URL or a malicious Javascript or even a single HEX character in this whole thing!!!

Moral of the story:

  - never use the same password for more than one service.
  - delete registration emails from websites if they contain your password.  Be sure to empty trash (or "delete forever") too
  - in any case, change your passwords once in a while

"your toddler may be violating a patent"

found on a slashdot sig somewhere, with a link to:


amazing...  absolutely amazing.

so now I have to *thank* those fscking yellow plates?


It seems that traffic jams are least probable when about 40% of the drivers are breaking a few rules.  No word on what happens if that 40% is more like 60%, *and* they break *every* rule though.

PS: for my one and only non-Indian reader: taxis (and other "for hire" vehicles) in India carry yellow license plates (normal ones are white).  And said taxis are far and away the **WORST** drivers in any sense of the word.