On Mon, Nov 14, 2011 at 7:54 AM, Alexander Larsson wrote:
>
> Uhm, can't anyone with git access modify the doap file?
>
Yes.
___
desktop-devel-list mailing list
desktop-devel-list@gnome.org
http://mail.gnome.org/mailman/listinfo/desktop-devel-list
On Fri, 2011-11-11 at 10:44 -0500, Matthias Clasen wrote:
> > What do you suggest then?
> >
> > 1. Let anyone with git.gnome.org upload any tarball they want
> > 2. Let selected people upload any tarball they want; handled by
> > accou...@gnome.org.
> > 3. Only maintainers, release team
>
> I thin
Hi,
On Fri, Nov 11, 2011 at 3:22 AM, Alan Cox wrote:
> Locking stuff down means reducing the attack surface (eg getting rid of
> shell accounts) and who can write stuff to trusted repositories. It
> doesn't mean contorting the release process. You just need to have the
> signing policy right. Giv
On Fri, Nov 11, 2011 at 4:50 AM, Olav Vitters wrote:
> On Thu, Nov 10, 2011 at 07:47:26PM -0500, Tristan Van Berkom wrote:
>> I think it's nice that currently we can upload win32 and osx builds of
>> gnome
>> modules/apps and have them available on gnome servers, if we take away
>> shell acces
Hi,
On Fri, Nov 11, 2011 at 10:26 AM, Olav Vitters wrote:
> On Fri, Nov 11, 2011 at 03:23:25PM +, Bastien Nocera wrote:
>> It's useful.
>
> What do you suggest then?
>
> 1. Let anyone with git.gnome.org upload any tarball they want
This one ^^
> 2. Let selected people upload any tarball they
On Fri, 2011-11-11 at 10:44 -0500, Matthias Clasen wrote:
> > What do you suggest then?
> >
> > 1. Let anyone with git.gnome.org upload any tarball they want
> > 2. Let selected people upload any tarball they want; handled by
> > accou...@gnome.org.
> > 3. Only maintainers, release team
>
> I thin
> What do you suggest then?
>
> 1. Let anyone with git.gnome.org upload any tarball they want
> 2. Let selected people upload any tarball they want; handled by
> accou...@gnome.org.
> 3. Only maintainers, release team
I think maintainers+release team is fine.
If there is a module that you frequent
On Fri, Nov 11, 2011 at 03:23:25PM +, Bastien Nocera wrote:
> It's useful.
What do you suggest then?
1. Let anyone with git.gnome.org upload any tarball they want
2. Let selected people upload any tarball they want; handled by
accou...@gnome.org.
3. Only maintainers, release team
--
Regards
On Fri, 2011-11-11 at 10:17 -0500, Matthias Clasen wrote:
> On Fri, Nov 11, 2011 at 4:59 AM, Olav Vitters wrote:
> > On Thu, Nov 10, 2011 at 10:21:17PM -0500, Ray Strode wrote:
> >> On Thu, Nov 10, 2011 at 6:47 AM, Olav Vitters wrote:
> >> > 3. Access is determined using "doap" files
> >> > 4. If
On Fri, Nov 11, 2011 at 4:59 AM, Olav Vitters wrote:
> On Thu, Nov 10, 2011 at 10:21:17PM -0500, Ray Strode wrote:
>> On Thu, Nov 10, 2011 at 6:47 AM, Olav Vitters wrote:
>> > 3. Access is determined using "doap" files
>> > 4. If you're not in the doap file of that module, you cannot upload
>> It
On Thu, Nov 10, 2011 at 10:21:17PM -0500, Ray Strode wrote:
> On Thu, Nov 10, 2011 at 6:47 AM, Olav Vitters wrote:
> > 3. Access is determined using "doap" files
> > 4. If you're not in the doap file of that module, you cannot upload
> It's pretty common for people not listed as maintainers in the
On Thu, Nov 10, 2011 at 07:47:26PM -0500, Tristan Van Berkom wrote:
>I think it's nice that currently we can upload win32 and osx builds of
> gnome
> modules/apps and have them available on gnome servers, if we take away
> shell access then perhaps the install-module/ftpadmin script should be
> In fact, I think the lack of fine grained ACLs for this sort of thing
> is one part of GNOME that work better than projects that try to lock
> things down more aggressively.
Locking stuff down means reducing the attack surface (eg getting rid of
shell accounts) and who can write stuff to trusted
Hi,
On Thu, Nov 10, 2011 at 6:47 AM, Olav Vitters wrote:
> 3. Access is determined using "doap" files
> 4. If you're not in the doap file of that module, you cannot upload
It's pretty common for people not listed as maintainers in the doap
files to do releases, especially for the lesser maintaine
I think it's nice that currently we can upload win32 and osx builds of gnome
modules/apps and have them available on gnome servers, if we take away
shell access then perhaps the install-module/ftpadmin script should be
enhanced to allow this (afaik the only way currently is to manually place
a f
On Thu, Nov 10, 2011 at 03:19:07PM +, Maciej Marcin Piechotka wrote:
> On Thu, 2011-11-10 at 12:47 +0100, Olav Vitters wrote:
> > My thoughts to secure this is:
> > 1. Get rid of shell for ideally everyone (maintainers, release team,
> > etc)
> > 2. Uploads are done using:
> >a. rsync over
On Thu, 2011-11-10 at 12:47 +0100, Olav Vitters wrote:
> Loads of people currently have access to master.gnome.org as to upload
> tarballs. This is currently done by handing out shell access to these
> people.
>
> If any of the 350+ has their machine compromised, someone could easily
> use that to
On Thu, Nov 10, 2011 at 12:05:14PM +, Alan Cox wrote:
> >a. rsync might be annoying / unreliable
> >b. don't think you can delete easily with rsync
> >c. more annoying than e.g. sftp or scp
>
> Talk to H Peter Anvin about the new kernel.org tools, they may do what
> you need as wel
On Thu, 2011-11-10 at 12:47 +0100, Olav Vitters wrote:
> Loads of people currently have access to master.gnome.org as to upload
> tarballs. This is currently done by handing out shell access to these
> people.
>
> If any of the 350+ has their machine compromised, someone could easily
> use that to
> If any of the 350+ has their machine compromised, someone could easily
> use that to reach shell on master.gnome.org. I don't want that to be
> possible.
If you have 350+ users with hosts and some of them were shared wth
kernel.org in the past I'd suggest "When" or "Probably" not "If"
>a. r
Loads of people currently have access to master.gnome.org as to upload
tarballs. This is currently done by handing out shell access to these
people.
If any of the 350+ has their machine compromised, someone could easily
use that to reach shell on master.gnome.org. I don't want that to be
possible.
21 matches
Mail list logo
