I'm attracted to Mercurial as a DVCS platform, but would like an easy to use server similar to svnserve. There is HgServe, but that appears to be read-only. If I want to be able to host the server on another machine, it appears I need to set up apache, etc. Is that really the case? Is there an easier method for a local network where security isn't an issue?
+3
A:
The problem here is that it's so easy, the mercurial documentation fails to appropriately cover it. If you clone with ssh:
hg clone ssh://user@host//path/to/repo /local/path
It will do the right thing on the "server" system (it automatically runs hg serve on the other end for the duration of the operation), and then any subsequent operations (push, pull, etc.) will be automatically run over ssh. (Make sure you use the double slash after the hostname if you want your path to start at the filesystem root, otherwise it'll start wherever ssh puts you).
Note that Hg "users" are separate from ssh users, so if you want everyone to use the same restricted account for ssh, they can - hg will still identify their changesets by the user set up in their .hgrc.
Nick Bastin
2010-05-05 07:50:13
And having everyone share a ssh (system) account doesn't mean having them share a password or giving them shell access. You can you the hg-ssh script in contrib to do per-user mercurial-only ssh access by key.
Ry4an
2010-05-05 10:43:27
@Ry4an: of course, you can do anything you would normally do with SSH (weighing the security implications of any system you might configure). Certainly setting up an ssh account that can only run hg and has authorized_keys from each individual user is pretty easy (dunno what hg-ssh does, but adding keys to authorized keys is very straightforward). I doubt hg is free of exploits, so it all depends on how much you trust your users.
Nick Bastin
2010-05-05 10:58:04
@Nick hg-ssh does a hg-aware scan of the remote command line to make sure it does nothing except access a single repo that's in a white list. If there are any explots in mercurial's restricted ssh setup, someone tell bitbucket.org, because they use a ssh account shared by all to do anonymous ssh access.
Ry4an
2010-05-06 13:30:58
@Ry4an: We don't really know what bitbucket is doing behind the scenes - I actually doubt they're relying on Hg to be their SSH arbiter. Either way though, my advice to properly jail your accounts still applies, as bitbucket is probably doing. They don't *have* to rely on Hg to have a proper restriction setup if the login lives in a proper jail.
Nick Bastin
2010-05-07 03:01:01
@Nick the guys in #bitbucket say it uses a heavily modified version of that script. Additional layers are always great, but I'll hold that script up over the average webserver conf any day.
Ry4an
2010-05-07 16:11:54