Hi all, On Friday 07 August 2009 14:32:27 Nicolas Pouillard wrote: > Excerpts from Grant Husbands's message of Fri Aug 07 13:48:42 +0200 2009: > > I'm hoping I'm mistaken, but it seems to be quite hard to set up a > > secure, working, internet-accessible Darcs server that allows > > relatively untrusted users to push changes. As I understand it the > > options are: > > > > 1. HTTP: A bit sniffable. Authentication not supported. Read-only. > > 2. HTTPS: Authentication not supported. Not supported at all on > > Windows (Darcs doesn't trust any root certs). Read-only. > > 3. SSH: Not secure, as it requires giving people shell access to the > > server. Allows file-edits that don't comply with version control. > > You can use a custom restricted shell for these users. You could only > allow to call "darcs apply".
And then they commit a patch that contains a fork bomb with a 'darcs apply -- post-hook ./forkbomb --run-posthook' and you're still fried. Reinier
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ darcs-users mailing list [email protected] http://lists.osuosl.org/mailman/listinfo/darcs-users
