[buildgear-devel] Source downloading failed from private github repo

Martin Lund martin.lund at keep-it-simple.com
Wed Aug 6 14:07:09 MDT 2014


Hi Qing Jin,

On 2014-08-06 12:58, Qing Jin wrote:
> Hi,
>
> I am using buildgear to build the source from github private repo. But 
> the building failed with downloading this error:
>
> Downloading sources..                (1 files)
>
>    Downloading 'https://github.com/xxxxxx/archive/xxxxxxx.tar.gz'
>    Error 404 (HTTP response code said error)
>
> The source link in buildfile is given like this:
>
> source=https://github.com/(private <https://github.com/%28private> 
> repo)/archive/$version.tar.gz
>
> The tarball file is made automatically when doing release for this 
> repo and is available for downloading in github.
>
> Does buildgear support source downloading from github private repo?

Download of private github archive tarballs, no.
Download of public github archive tarballs, yes.

Regarding the 404 error you see: 
https://developer.github.com/v3/troubleshooting/#why-am-i-getting-a-404-error-on-a-repository-that-exists 
:

"Typically, we send a |404| error when your client isn’t properly 
authenticated. You might expect to see a |403 Forbidden| in these cases. 
However, since we don’t want to provide /any/ information about private 
repositories, the API returns a |404| error instead."

Basically, adding support for downloading private github archive 
tarballs would require the buildgear download manager to mimic the login 
steps that your browser performs to do github authentication. That would 
demand special and non-trivial github handling in the download manager. 
This is not a very good idea because we want to keep the download 
manager as generic as possible and only support well known download 
protocols.

If you need to download sources from a secure location I would strongly 
recommend setting up a sftp server to host your release tarballs 
instead. This way you can even have your users reuse their github SSH keys.

sftp:// using SSH keys is well tested with buildgear.


That being said, github does leave another alternative - that is 
downloading private archive tarballs using OAuth2 Token via 
api.github.com (see https://developer.github.com/v3/#authentication).

In this case you can access your archive by regular https in combination 
with a OAuth2 token:
https://api.github.com/repos/<username>/<repo>/tarball/<tag 
version>?access_token=<token>

Unfortunately, the URI above results in a poorly named download file 
(file will be named <tag version>?access_token=<token>) which you would 
have to manually extract in the build() function - it's not pretty but 
it is possible.

Regardless, I would recommend going with sftp:// - it's more elegant 
than using github OAuth2 tokens and more secure, especially if your are 
distributing company protected tarballs.

Br, Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://buildgear.org/pipermail/buildgear-devel_buildgear.io/attachments/20140806/f5c7007e/attachment.html>


More information about the buildgear-devel mailing list