Christopher Faylor wrote: > > On Wed, Jul 10, 2002 at 06:35:17PM -0400, Charles Wilson wrote: > >Christopher Faylor wrote: > > > > > >>(I've got to implement a way for package maintainers to do this > >>themselves...) > >> > > > >Yep. If you only focus on auto-upload (with some sort of > >verification...should we start signing things with GPG keys?) of > >*existing* package, that should make the problem easier. > > > >First-time uploads can be handled as now: folks with login accounts do > >it manually. > > I have always been thinking of using some kind of ssh key for a > standard account. Each key would only let the user access a specific > directory. >
Last year I wrote a perl script to be used by the command="script" option in the authorized_keys file. It would check that the client intented to run rsync, all the mandatory options where present and extra options where all in the allowed list. Canonicalized the path arg and verified that it was a subdir of the allowed download path. If all that checked then it exec a recontructed safe version of the original command. We can write a similar script for cygwin if that's the way to go. the authorized_keys file would look something like: command="cygwin_maintainer.pl keychain ncftp wget",no-pty,no... ssh-rsa FEDC... # Hack Kampbjorn command="cygwin_maintainer.pl ... What access does maintainers need? - Upload files - Create directories? Seems so for splitted packages, eg. gettext - Download files? No we can use the mirrors or *cough* rsync *cough* - Delete files? If old packages aren't automatically deleted by a cron job then yes - Delete directories? And the requirements: - encrypted communication? - password authentication? - public key authentication? - low cpu load on sources? - low bandwith load on sources? And the options: - webupload script: pass protected, cert. protected or gpg validated - restricted ftp accounts - restricted rsync accounts - restricted ssh accounts - unrestricted upload, validated afterwards - mirroring from maintainer provided URL > cgf -- Med venlig hilsen / Kind regards Hack Kampbj�rn
