On Thu, Mar 31, 2011 at 5:38 AM, Martijn Pieters wrote:

On Wed, Mar 30, 2011 at 15:08, Jim Fulton wrote:

...

We do something similar with sftp (zc.buildoutsftp).  To publish eggs, we just use scp. The advantage of this is that it leverages ssh infrastructure, so *no* additional password management is needed.  This is wildly better, IMO, than keeping passwords in clear text in your buildout configuration or in a dot file.

That depends on your deployment scenarios. We generate separate passwords per customer, and give them a dedicated URL to load their private eggs from, then put the password in the buildout.cfg. To load the buildout.cfg in the first place, the exact same password is used.

Managing SSH accounts and keys for those customers would cost us much more overhead, and would complicate our instructions for deployment to them.

On the other hand, for deployments of a buildout from a SVN repository already served over SSH would make the sftp route the logical choice.

Some customers are too dumb to be secure. OK, makes sense. :) Seriously, I assume this is a read-only scenario, in which case having clear-text passwords laying around in prominent places seems less problematic. If they could write to the repo, then I would still have serious problems with this approach. Another approach would be to integrate with some secure key-management service (keychain) on the customer's machines, but I expect that would be as painful as helping them figure out ssh. Jim -- Jim Fulton http://www.linkedin.com/in/jimfulton

On 05/04/2011 16:33, Eric Smith wrote:

Could you elaborate on this? How does buildout/setuptools/distribut search for an sdist, lacking an index file? Does it look for .tgz only, or other extensions as well? This would save me a ton of heartburn if I could get it to work.

Point find-links at either a folder on disk, or that sample folder served over http by Apache's normal folder serving (ie: index listings on). Just stick any type of dist into that folder. The rest "just works". If it doesn't, explain what you did and we'll see if we can spot what went wrong... cheers, Chris -- Simplistix - Content Management, Batch Processing & Python Consulting - http://www.simplistix.co.uk