head	1.3;
access;
symbols
	TIGRIS_1_0_8_1:1.3
	TIGRIS_1_0_8_0:1.3
	TIGRIS_1_0_4:1.3;
locks; strict;
comment	@# @;


1.3
date	2000.08.11.22.21.18;	author kfogel;	state Exp;
branches;
next	1.2;

1.2
date	2000.08.01.17.44.54;	author kfogel;	state Exp;
branches;
next	1.1;

1.1
date	2000.07.27.23.00.37;	author kfogel;	state Exp;
branches;
next	;


desc
@@


1.3
log
@Detailed recipe for upgrading the patch.

Include diffing script.
@
text
@* cvs-tigris.patch -- turns dist CVS into the CVS we use on Tigris.

Mainly, this patch allows the CVS server to authenticate off a MySQL
database.  It also makes a few other tweaks (see log history for
details).

How To Build CVS After Applying This Patch:
===========================================

   cd ccvs/                                       /* Top of CVS source tree */
   patch -p0 < ../wherever/cvs.patch              /* Apply this patch. */
   ./configure --enable-mysql --with-mysql=/usr   /* Configure. */
   make                                           /* Build. */
   make check                                     /* OPTIONAL: test local */
   make remotecheck                               /* OPTIONAL: test remote */
   make install                                   /* Install it. */


How And When To Upgrade This Patch
==================================

This patch needs to be upgraded whenever

   a) one of the CVS maintainers makes a change in the main CVS
      repository

or

   b) we need to change something in our CVS customizations

Here's how to do it:

Keep a pristine CVS source working copy, call it `pristine-ccvs'.
Never modify this working copy, just run "cvs update" in it whenever
you see that someone has made a change (you should be subscribed to
the commit-cvs@@cyclic.com list so you are notified of such changes;
read pristine-ccvs/HACKING to find out how to subscribe).

When a change is made, that usually means our patch has to be
upgraded.  Start by making a copy of the pristine source tree:

   rm -rf collab-ccvs
   cp -r pristine-ccvs collab-ccvs

The collab-ccvs tree is where we will make all our changes.  The first
step is to patch in our existing local customizations, at least as
much as patch is able to apply them, like this:

    cd collab-ccvs
    patch -p0 < .../releng/rpm/cvs/SOURCES/cvs-tigris.patch

If any of the patch hunks failed, examine the .rej file(s) and
hand-apply them as necessary.

And if you're also fixing some bug in our patch, or adding features,
now is the time to do it: make those changes directly in the
collab-ccvs source tree, and build and test only in collab-ccvs too.

Once all that's done, you have one tree representing the latest
unmodified CVS sources, and another representing those sources plus
our customizations.  So to produce a new cvs-tigris.patch, you need to
get the difference between these two trees.  The easiest way to do
that is to run the cdiff.sh script provided here -- it knows how to
ignore irrelevant files and directories:

   cdiff.sh | tee new-cvs-tigris.patch

One last cleanup: you'll have to go through new-cvs-tigris.patch and
replace the pristine paths with "./", so the patch's paths look like
they're all in one tree.  In other words, a file heading like this in
new-cvs-tigris.patch

   diff --exclude=CVS -crN blah/blah/pristine-ccvs/config.h.in ./config.h.in
   *** /home/kfogel/src/pristine-ccvs/config.h.in   Tue Aug  1 10:15:18 2000
   --- ./config.h.in   Tue Aug  1 10:35:13 2000

must be changed to this

   diff --exclude=CVS -crN blah/blah/pristine-ccvs/config.h.in ./config.h.in
   *** ./config.h.in   Tue Aug  1 10:15:18 2000
   --- ./config.h.in   Tue Aug  1 10:35:13 2000

(only the middle line changed).  

There's probably some option to `diff' to do this for us, but I can't
seem to find out what it is, so I just do it with an Emacs macro.  A
sed script might do it equally well.

Once you've done that, the new patch is ready:

   mv new-cvs-tigris.patch cvs-tigris.patch
   cvs commit cvs-tigris.patch

Remember to include a _very_ detailed log message about what the
changes are.  The log message is unusually important here, because
it's almost impossible to figure out what the change was by looking at
the diff -- this being a patch *to* a patch, it's unusually hard to
read.

Oh, one other important thing:

The CVS maintainers include `configure' in their CVS tree for
convenience even though it is generated from `configure.in'.
Therefore, if you see that they've checked in a change to `configure',
that always means they made a change to `configure.in' as well, so we
just need to run autoconf _after_ applying cvs-tigris.patch.  Autoconf
examines `configure.in' and generates a new `configure'.  Since our
changes already have been applied to `configure.in', that will work
for us.

The whole process looks something like this:

   cd pristine-ccvs
   cvs update
   cd ../
   rm -rf collab-cvs
   cp -r pristine-ccvs collab-ccvs
   patch -p0 < .../releng/rpm/cvs/SOURCES/cvs-tigris.patch
   autoconf              [ Only if they changed `configure'. ]
   [ Do whatever other changes need to be done. ]
   cdiff.sh


How To Use The CVS Server After Applying This Patch:
====================================================

Put a line like this in /etc/inetd.conf:

   cvspserver stream tcp nowait tigrisc /usr/local/bin/cvs cvs -L \
   --allow-root=/home/tigrisc --allow-root=/cvs pserver

The new "-L" flag above comes from this patch.  It stands for "local
authentication", a somewhat unintuitive name for authenticating off a
MySQL database.  The reasons to go with the generic name are a)
compatibility with the larger patch from which this is derived, and b)
the new authentication mechanism is easily extendible to systems other
than MySQL.

Next, make the appropriate tables in MySQL.  Documentation on MySQL
authentication may be found in cvs.texinfo (after you apply the patch,
of course).  Search for "@@subsubheading Database Authentication".

Note that the relevant table in our Tigris database seems to have many
columns that our setup doesn't actually use, such as `unix_user'.
Although CVS *could* use that information, we don't tell it to, so
that column is basically ignored and CVS always runs as `tigrisc' (at
least as of 9 June 2000).


Notes On The Patch:
===================

This patch adds two new files, `local_auth.c' and `mysqlsubr.c', and
modifies many files to use the new routines.  This patch is derived
from a much larger patch that also added per-directory ownership and
permissions control in the repository.  We (Tigris) weren't using that
extra code, and it was creating spurious `owner' and `perms' files in
repository directories and possibly causing authentication problems.
So the patch was rewritten to do just MySQL authentication, plus a
skeleton to allow us to add per-directory control very easily (just
stick some more information in the database, and have CVS examine it).

No ChangeLog entries are included, because they almost always cause
conflicts when the patch is applied.  If this patch were ever checked
into the master CVS tree, then that would be the time to add the
ChangeLog entries.  Here is what they might say:

ccvs/ChangeLog:

	* config.h.in, configure, configure.in: changes for MySQL
	("local") authentication.
	Configure now takes --enable-mysql and --with-mysql=DIR options.

ccvs/doc/ChangeLog:

	* cvs.texinfo: document MySQL ("local") authentication.

ccvs/src/ChangeLog:

        * local_auth.c, mysqlsubr.c: new files, for MySQL ("local")
	authentication. 

        * Makefile.in, add.c, admin.c, checkout.c, client.c, commit.c,
	cvs.h, diff.c, edit.c, error.c, import.c, lock.c, log.c,
	main.c, mkmodules.c, parseinfo.c, patch.c, rcs.c, recurse.c,
	remove.c, rtag.c, server.c, status.c, tag.c, update.c,
	watch.c: changes for MySQL authentication.
	(verify_admin, verify_owner, verify_read, verify_write,
	verify_create): new functions.
	(start_recursion): take one of above as new argument.


How does CVS behave with this patch?
====================================

First, go read the new "Database Authentication" section in
cvs.texinfo.  Then, read this:

The three MySQL tables in question are

   domain_privs
   project_privs
   module_privs

with the column `commit_priv' set to either 'Y' or 'N'.  (The special
value `-' indicates the case where no row in that table matches this
user/project/module.)

Notice how domain privileges dominate, then project privs, then
finally module privs, and that it is possible to grant module privs
without granting wider project privs.

      =========
      domain  Y           <---- Result: can commit
      project Y
      module  -

      =========
      domain  Y           <---- Result: can commit
      project N
      module  -

      =========
      domain  N           <---- Result: can commit
      project Y
      module  -

      =========
      domain  N           <---- Result: CAN NOT COMMIT
      project N
      module  -

      =========
      domain  Y           <---- Result: can commit
      project Y
      module  Y
      
      =========
      domain  Y           <---- Result: can commit
      project Y
      module  N
      
      =========
      domain  Y           <---- Result: can commit
      project N
      module  Y
      
      =========
      domain  N           <---- Result: can commit
      project Y
      module  Y
      
      =========
      domain  Y           <---- Result: can commit
      project N
      module  N
      
      =========
      domain  N           <---- Result: can commit
      project Y
      module  N
      
      =========
      domain  N           <---- Result: can commit
      project N
      module  Y
      
      =========
      domain  N           <---- Result: CAN NOT COMMIT
      project N
      module  N
@


1.2
log
@(send_repository): don't try "Checkin-prog" and "Update-prog"
requests, as they have been removed from struct requests[] in
server.c.

Remove all mention of our other, now-obsolete patches from README.
@
text
@d19 105
@


1.1
log
@Describe what's in here.
@
text
@d1 1
a1 1
What's in here:
d3 3
a5 3
   * cvs-tigris.patch
     Patch to bring dist CVS to the CVS we use on Tigris.
     This is a big patch; read more about it after the dashed line below.
d7 2
a8 19
   * cvs-1.10-tmprace.patch
     Appears to fix a race condition in cvsbug.sh.

   * cvs-1.10.7-fixinfo.patch
     Some trivial changes to cvs.texinfo.

   * cvs-1.10.7-krb5-1.1.1.patch
     A very minor patch that apparently makes CVS 1.10.7 compile with
     Kerberos 5.  I'm not sure we should still keep this around, but
     perhaps the patch is useful to make CVS 1.10.8 compile with Krb5
     as well.

---------------------------------------------------------------------------
Here are details about cvs-tigris.patch:

This patch allows the CVS server to authenticate off a MySQL database.

How To Build:
=============
d19 2
a20 2
How To Use It:
==============
@

