Gerrit SSH interface status and "SSH API" replacement?

Tue Mar 13 14:12:24 UTC 2012

On Tue, Mar 13, 2012 at 04:41, Paul Sokolovsky
<paul.sokolovsky at linaro.org> wrote:
> Now that Google itself doesn't use SSH interface to Gerrit
> (https://android-review.googlesource.com/ssh_info), does it mean that
> SSH interface is deprecated,

No, it isn't deprecated. The SSH interface is too useful for
end-users, administrators, etc.

Google doesn't support SSH because of our networking infrastructure
limitations. Gerrit Code Review at
{android-review,gerrit-review}.googlesource.com runs in multiple
Google data centers, similar to ones that run Google Web Search and
GMail. The network devices between your ISPs peering connection with
Google and the server running Gerrit Code Review only forward HTTP.
Everything else gets blocked and dropped on the floor. Asking for
something else to be tunneled through like GMail does for SMTP, IMAP
or POP3 is a major engineering effort that my small team doesn't have
the staffing to implement, and is very expensive for the company to
perform relative to the small gain we might get in usability.  :-(

So what this does mean is actions that are available over SSH will
become more available over HTTP, because otherwise we lose them in
this particular hosting environment.

> i.e. should other parties consider moving
> away from it?

Only if you want to stop using SSH.  :-)

> That apparently would make maintenance schedule less
> flexible: previously, there were separate "Gerrit admin" role which
> didn't require "sysadmin" (filesystem-level) access for things like DB
> maintenance.

This "Gerrit admin" role still exists, and always will exist. Managing
the configuration of the server through the web UI is a step above
having direct file system access.

> Another question, is there a replacement for "SSH API" like "gerrit
> review", "gerrit stream-events", etc.?

No. We are working on it. Specifically Conley Owens is being loaned to
the project by Android for a short time to build a version of "gerrit
review" on HTTP by refactoring the common code out of the SSH server
and making ti available over both HTTP and SSH. This will also add a
JSON input format for "gerrit review" so automated tools could add
line-level comments on changes. For example, an automated lint
analysis tool could place warnings directly on the line.

> Well, what we'd need right now is
> analog of "gerrit ls-projects", i.e. a stable, machine-readable way to
> get a list of projects in AOSP Gerrit. Any hints?

AOSP maintains an additional manifest file that lists every project...
because ls-projects isn't (yet) available over HTTP. ls-projects has
to be one of the simpler SSH commands... and patches are always be
appreciated.  :-)