Questions/Ideas about Continuum

[Nacho Gonzalez Mac Dowell <na...@visual-ma.com>]

Hi all, I have a couple of questions regarding continuum's webapp. I've 
been looking through jira and haven't found these issues tackled.

1. Is it just me or permissions are not checked when adding/removing 
projects? If I log in, copy the url for deleting a project and then 
logout, it seems that I can delete the project anyways. After going 
through the sources, I didn't find where permissions are checked.

2. What is the use of parsing the pom when introducing a new maven1 
project? IMHO the pom should be parsed after checkout. This would allow 
building projects which extend from others if the extension project is 
included first. Maybe it would be useful to specify the relative url of 
the pom when the checkout is performed. IMO all you need to build a 
maven project is the scm connection url and parameters and the relative 
url to the pom.

3. Isn't the scm password stored as clear text on the db? Usually this 
is a unix user/password from the scm machine... I would consider making 
a certificate for ssh connection or something like that. Then the public 
key for the user could be available for download and put in the scm machine.

Obviestly I am willing to contribute with patches on these issues if 
they are welcome. I didn't want to open tickets just yet as it is my 
first approach to continuum...

Anyways, I think Continuum is a very nice tool that could be really made 
into a monster! Thanks a lot for the effort!

Thank you for your attention

nacho

Re: Questions/Ideas about Continuum

[Emmanuel Venisse <em...@venisse.net>]

Nacho Gonzalez Mac Dowell a écrit :
> Emmanuel Venisse escribió:
> 
>> Nacho Gonzalez Mac Dowell a écrit :
>>
>>> Hi all, I have a couple of questions regarding continuum's webapp. 
>>> I've been looking through jira and haven't found these issues tackled.
>>>
>>> 1. Is it just me or permissions are not checked when adding/removing 
>>> projects? If I log in, copy the url for deleting a project and then 
>>> logout, it seems that I can delete the project anyways. After going 
>>> through the sources, I didn't find where permissions are checked.
>>
>>
>>
>> You're right, it's a big problem in actual code that will be fixed in 
>> 1.1 (not in 1.0.3).
>> We'll use acegi security framework for that.
> 
> 
> Is there a branch or anything yet for this issue?

We have a branch for 1.0.3, it's continuum-1.0.x
1.1 is in trunk, but acegi isn't there for the moment.

> 
>>
>>>
>>> 2. What is the use of parsing the pom when introducing a new maven1 
>>> project? IMHO the pom should be parsed after checkout. This would 
>>> allow building projects which extend from others if the extension 
>>> project is included first. Maybe it would be useful to specify the 
>>> relative url of the pom when the checkout is performed. IMO all you 
>>> need to build a maven project is the scm connection url and 
>>> parameters and the relative url to the pom.
>>
>>
>>
>> We need to parse the pom when we add it for initializing it in 
>> Continuum. We'll can perhaps allow to add maven1 project which extend 
>> an other but only for parent project in the same checkout tree.
> 
> 
> In the same checkout tree or, maybe, from an already parsed pom? 
> Obviestly the order in which projects are added would then be quite 
> important.

We can't extends an already parsed pom because extend feature in maven1 doesn't provide information 
other than the relative path to parent pom, so we can't know which parent it is a project list.
And, if we suppose that we can find it, we'll need to modify the relative path to the parent in the 
child, because continuum store projects on filesystem differently that it is in scm or on developer 
machine.

> 
> Also, why does Continuum need to know from the project except its scm 
> url and the relative path to the pom? If it does need more things (which 
> I may be missing) it could perform a checkout when adding a project, 
> rather than uploading (for the upload case, not for the url case).

We need groupId, artifactId, version, scm url, dependencies and notifiers when we add a project in 
continuum.
groupId, artifactId, version and dependencies are necessary to find the correct build order.


> 
> I am also worried that if the pom changes substantially with time, then 
> a reparse of the pom would be needed if uploaded?
> 
>>
>>>
>>> 3. Isn't the scm password stored as clear text on the db? Usually 
>>> this is a unix user/password from the scm machine... I would consider 
>>> making a certificate for ssh connection or something like that. Then 
>>> the public key for the user could be available for download and put 
>>> in the scm machine.
>>
>>
>>
>> It's a possible solution to implement.
> 
> 
> The only problem I see with this issue is that the only ssh-keygen java 
> port I know is from mindterm which is now propietary. How could we do 
> this maintaining portability? Any ideas? Does anybody see any other 
> solution for not storing clear text password on the db?

ssh-keygen is available in jsch (http://www.jcraft.com/jsch/) too.

Emmanuel

> 
> best regards,
> 
> nacho
> 
> 
> 

Re: Questions/Ideas about Continuum

[Nacho Gonzalez Mac Dowell <na...@visual-ma.com>]

Emmanuel Venisse escribió:

> Nacho Gonzalez Mac Dowell a écrit :
>
>> Hi all, I have a couple of questions regarding continuum's webapp. 
>> I've been looking through jira and haven't found these issues tackled.
>>
>> 1. Is it just me or permissions are not checked when adding/removing 
>> projects? If I log in, copy the url for deleting a project and then 
>> logout, it seems that I can delete the project anyways. After going 
>> through the sources, I didn't find where permissions are checked.
>
>
> You're right, it's a big problem in actual code that will be fixed in 
> 1.1 (not in 1.0.3).
> We'll use acegi security framework for that.

Is there a branch or anything yet for this issue?

>
>>
>> 2. What is the use of parsing the pom when introducing a new maven1 
>> project? IMHO the pom should be parsed after checkout. This would 
>> allow building projects which extend from others if the extension 
>> project is included first. Maybe it would be useful to specify the 
>> relative url of the pom when the checkout is performed. IMO all you 
>> need to build a maven project is the scm connection url and 
>> parameters and the relative url to the pom.
>
>
> We need to parse the pom when we add it for initializing it in 
> Continuum. We'll can perhaps allow to add maven1 project which extend 
> an other but only for parent project in the same checkout tree.

In the same checkout tree or, maybe, from an already parsed pom? 
Obviestly the order in which projects are added would then be quite 
important.

Also, why does Continuum need to know from the project except its scm 
url and the relative path to the pom? If it does need more things (which 
I may be missing) it could perform a checkout when adding a project, 
rather than uploading (for the upload case, not for the url case).

I am also worried that if the pom changes substantially with time, then 
a reparse of the pom would be needed if uploaded?

>
>>
>> 3. Isn't the scm password stored as clear text on the db? Usually 
>> this is a unix user/password from the scm machine... I would consider 
>> making a certificate for ssh connection or something like that. Then 
>> the public key for the user could be available for download and put 
>> in the scm machine.
>
>
> It's a possible solution to implement.

The only problem I see with this issue is that the only ssh-keygen java 
port I know is from mindterm which is now propietary. How could we do 
this maintaining portability? Any ideas? Does anybody see any other 
solution for not storing clear text password on the db?

best regards,

nacho

Re: Questions/Ideas about Continuum

[Emmanuel Venisse <em...@venisse.net>]

Nacho Gonzalez Mac Dowell a écrit :
> Hi all, I have a couple of questions regarding continuum's webapp. I've 
> been looking through jira and haven't found these issues tackled.
> 
> 1. Is it just me or permissions are not checked when adding/removing 
> projects? If I log in, copy the url for deleting a project and then 
> logout, it seems that I can delete the project anyways. After going 
> through the sources, I didn't find where permissions are checked.

You're right, it's a big problem in actual code that will be fixed in 1.1 (not in 1.0.3).
We'll use acegi security framework for that.

> 
> 2. What is the use of parsing the pom when introducing a new maven1 
> project? IMHO the pom should be parsed after checkout. This would allow 
> building projects which extend from others if the extension project is 
> included first. Maybe it would be useful to specify the relative url of 
> the pom when the checkout is performed. IMO all you need to build a 
> maven project is the scm connection url and parameters and the relative 
> url to the pom.

We need to parse the pom when we add it for initializing it in Continuum. We'll can perhaps allow to 
add maven1 project which extend an other but only for parent project in the same checkout tree.

> 
> 3. Isn't the scm password stored as clear text on the db? Usually this 
> is a unix user/password from the scm machine... I would consider making 
> a certificate for ssh connection or something like that. Then the public 
> key for the user could be available for download and put in the scm 
> machine.

It's a possible solution to implement.

> 
> Obviestly I am willing to contribute with patches on these issues if 
> they are welcome. I didn't want to open tickets just yet as it is my 
> first approach to continuum...

All help are welcome. File an issue and attach your patches. We'll look at them.

> 
> Anyways, I think Continuum is a very nice tool that could be really made 
> into a monster! Thanks a lot for the effort!

Thanks.

Emmanuel

> 
> Thank you for your attention
> 
> nacho
> 
> 
>