Create labs project arcanist
Closed, DeclinedPublic

Description

Project Name: arcanist
Purpose: Let users easy use arcanist
Wikitech Username of requestor: Luke081515

Current problem: Arcanist is not very usable at windows, so I want to setup an instance, where every user can create a git repo at his home directory and use arcanist. I only one instance there for that, maybe two, but I can't realise that at tools, because every user needs seperate data (different certificates etc.). My purpose is to make it easier for users to use arcanist, to support the gerrit migration.

Luke081515 updated the task description. (Show Details)
scfc added a comment.Mar 20 2016, 3:37 PM

AFAIUI, users should push their changes to a Git directory in your project and then … whatever arc does to submit the changes to Phabricator? This would involve people storing their Phabricator credentials in your Labs project, and while technically the Labs Terms of use allow that (if you add the pertinent disclaimers), this sounds like a terrible idea.

What makes Arcanist not very usable on Windows? Is there a task (upstream) about it?

Also, for MediaWiki development I would strongly recommend MediaWiki-Vagrant, and I think I saw some arc-related stuff in there.

AFAIUI, users should push their changes to a Git directory in your project and then … whatever arc does to submit the changes to Phabricator? This would involve people storing their Phabricator credentials in your Labs project, and while technically the Labs Terms of use allow that (if you add the pertinent disclaimers), this sounds like a terrible idea.

Arcanist uses a certificate, which don't allows to login in phab and change the passowrd directly. If you prefer it, I can let use arcanist a shared account, similar to the gerrit patch uploader.

What makes Arcanist not very usable on Windows? Is there a task (upstream) about it?

See T130094#2137712

Paladox added a comment.EditedMar 20 2016, 6:39 PM

Actually support for windows is new so many bugs are expected.

https://secure.phabricator.com/book/phabricator/article/arcanist_windows/

But when I use it, it is hard plus some things doint work causing a push to fail. Like linting was failing for me I think.

Maybe the Wikimedia phabricator can setup one and allow users to use there normal git setup and commands and on labs it will forward it using the arc commands to phabricator.

Also not everyone wants to install php to be able to contribute to Wikimedia phabricator. With gerrit all you needed was a git client now migrating to phabricator requires extra things to install plus making it harder with the commands they expect you to use.

scfc added a comment.Mar 20 2016, 7:21 PM

If I'm not mistaken, Arcanist is not officially "supported" anywhere (cf. T133, https://secure.phabricator.com/T4200, etc.). Even more, your idea is based on the premise that for Windows users it is easier to set up their Git → Phabricator gateway using your project than to set up Arcanist. I doubt that, especially as the "problems" with Arcanist on Windows you linked to are:

[…]
We would have to use arc which is not even officially supported on windows which means any bugs found carn't be fixed since windows is not supported in phabricator.

Plus when I tried arc it was really hard to use and kept failing for some reason not sure why it was very hard to push it.

which is about as vague as one could get.

For the general "Why run unreviewed code from some repository on the InterNet when you can use Git" audience, implementing T173 would be much more beneficial. If https://github.com/bloomberg/phabricator-tools/blob/master/doc/man/arcyd/arcyd.generated.txt is to believed, this should be pretty easy to set up.

bd808 added a comment.Mar 20 2016, 9:09 PM

Storing user credentials in a Labs instance is a really really bad idea. This would allow anyone who is admin in that project to impersonate anyone who setup credentials on the instances in the project. The risk of a local privilege escalation that would allow one user to impersonate another is non-trivial as well.

If arc doesn't work well on Windows then a more reasonable thing to do would be to make a Vagrant VM setup that Windows users could use as a band-aid until upstream figures out how to support the platform better. It is possible to use arc from MediaWiki-Vagrant today as well, but that is probably more heavyweight than absolutely necessary if all that is needed is arc access.

Luke081515 moved this task from Triage to Backlog on the Cloud-Services board.Mar 24 2016, 1:10 AM

Storing user credentials in a Labs instance is a really really bad idea. This would allow anyone who is admin in that project to impersonate anyone who setup credentials on the instances in the project. (...)

That's why I don't want to add any other user as projectadmin.

Paladox added a comment.EditedApr 7 2016, 3:47 PM

@bd808 Maybe we can do http://www.gossamer-threads.com/lists/openssh/users/45984 limit ssh users to certain folders and files. Meaning root access would need to be a trusted user. But users can setup a ssh agent where by the ssh key is stored on your local computer.

bd808 added a comment.Apr 7 2016, 3:49 PM

Storing user credentials in a Labs instance is a really really bad idea. This would allow anyone who is admin in that project to impersonate anyone who setup credentials on the instances in the project. (...)

That's why I don't want to add any other user as projectadmin.

So all the users of the service should trust you and you will be the 24/7/365 on-call support? If we really need some service like this it should be run as a production service by the WMF techops team in a secure manner.

@bd808 no but if a user doesn't store there key on the server then no one can view the key. They can use ssh-agent as I do which is secure and doesn't show the server my key because it wont be on the server.

bd808 added a comment.Apr 7 2016, 3:57 PM

I'm still not sure what the problem being solved here actually is. If running arc on a Windows host is problematic it seems to me that a local VM based solution (like MediaWiki-Vagrant or something more targeted and lighter if needed) would be much more pragmatically useful than a small number of shared VMs in Labs. That eliminates single points of failure and credential privacy concerns.

greg added a subscriber: greg.Apr 7 2016, 4:00 PM
Paladox added a comment.EditedApr 7 2016, 4:00 PM

@bd808 I created this windows installer https://github.com/paladox/Arcanist-installer-for-windows which now works on windows. But maybe something like MediaWiki-Vagrant would work.

I have a patch here https://gerrit.wikimedia.org/r/#/c/281955/ that fixes arcanist for windows users.

Luke081515 closed this task as Declined.May 13 2016, 12:05 AM

Closing this as declined, because we don't have an "obsolete" status.

With the arcanist installer for windows, which works, we don't need this solution.