https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified
Jeff Schroeder <jeffschroeder> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jeffschroe...@computer.org --- Comment #8 from Jeff Schroeder <jeffschroe...@computer.org> 2010-10-29 05:18:20 UTC --- Ok so here is the plan of attack... 1.) Setup a password-less ssh key for gnome...@l10n.gnome.org. Make the private key readable by the gnomeweb _user_ only and not the group. l10n.gnome.org has fairly limited user access as is so the attack vector is lower than many other servers. 2.) Have create-auth[1] throw down a special ssh key[2] for the gnomeweb user including the host="boron.canonical.com,91.189.93.2" line when given the --gnomeweb-hack argument. This restricts ssh connections from that ssh key to only originate from l10n.gnome.org aka progress.gnome.org aka boron.canonical.com. The patch to do this is attached. Owen or someone else on the sysadmin team please review it to let me know if this is the right idea. create-auth is going to get a lot of love later on. Splinter is truncating the full length of the patch in my browser so look at it raw. 3.) On l10n.gnome.org, configure the git global user (and the d-l process that commits) to be "Damned-Lies Autocommit", and the global git client email to a mailinglist that emails all of the translators (if that list exists). This is for reply to go to the main l10n email list if someone wants to reply to an auto-checkin. 4.) Write a simple bourne shell git hook that runs these checks: a.) [ "$(/usr/bin/whoami)" = "gnomeweb" ] b.) [ "$(/usr/bin/id -u)" = "2184" ] c.) [ "$committer_name" = "Damned-Lies Autocommit" ] d.) [ "$committer_email" = "the email for the main l10n list" ] e.) If it works[2], logic similar to Claude's pseudocode would be perfect. I double-checked that whoami runs geteuid(2) (yay strace) so b isn't 100% necessary. The goal is max paranoia and gracefully die if anything is off. c and d are easy for anyone to circumvent with "git commit --author", but they are just an extra layer of sanity checking. e is to make sure that only translation files are being committed. 5.) Teach d-l how to commit translations to a local git repository and rebase ontop of changes (hello git.py). The sysadmin team will write a cronjob to periodically push commits to git.gnome.org as user gnomeweb. I'll address points 1-3 now and put this off to someone else until at very least after the Boston Summit. [1] http://git.gnome.org/sysadmin-bin/tree/create-auth [2] Example key when I tested this patch on label: command="/home/admin/bin/run-git-or-special-cmd",no-pty,no-port-forwarding,host="boron.canonical.com,91.189.93.2" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoP1vEyT0IiDzmedoe+NKpgJ0pe47pOiaX31/XAntQ5+WWJn2PJDZIGyxBmgSjO8z4pdk7TMV9Bf2ryJRwEnEJDNkAoz1HJM8WUCt0l2SYwS4Qrem2AYHqPJTESrSLkwtEkK4WZrrk00Mp8/dUUBAL3uM5lTKjQuRXZ2PFZFBg79KTP4mrakZ0eTuvvs/jA13Fa8g9q5Ho3A7pe8kpTWCYeqzVbsTMHd1u7s3hiZ5JZhiCHeEOrXN/APtMpSH16wnBjogershs4BzRyAGu2SGcJOs+5jII26tFC3RcFrqTYsaaaplDlZp1j0fKGdQBe+v+SmR6OWFPzlxnhmeQFpqow== gnome...@progress.gnome.org_l10n_autocommit_git_only_key -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the QA contact of the bug. You are watching the assignee of the bug. _______________________________________________ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure