On Tue, Dec 12, 2017 at 9:00 AM, Craig Russell <apache....@gmail.com> wrote: > One design issue is how to store the information associated with > token=458974235879543789. > > This could be a single file in json format, with key/value pairs that we > decide. In order to support multiple simultaneous updates from different pmc > members, we would need to read the file for exclusive use, update the > information, and write it back. I expect that this can be done.
https://ruby-doc.org/core-2.4.2/File.html#method-i-flock > The location of the file is the biggest issue. Users of the tool will sign in > with their apache credentials. Where should be file be stored? What access > controls are needed? What kind of attacks are possible if the file name is > known? A subdirectory of /srv on whimsy-vm4 would be fine. Those with shell access to that machine would be able to read those file. Those with sudo access on that machine could change those files. All other access would be limited to the user id that runs the web server. > Another issue is permissions to access private information. We need to look > up the email address of the candidate and find out whether the candidate > already has an icla on file and whether they are already a committer. The > user might just be a PPMC member with no credentials other than an apache id > and "incubator" project. Can the tool use this user credentials to access > LDAP to obtain the information? Or is the tool running in super-user mode and > validates the user id? There are up to date checkouts of the relevant SVN repositories, and the LDAP cert is on that machine. So pretty much any read-only operation is covered. Generally, there will already be an API to get the information you are looking for: https://whimsy.apache.org/docs/api/ > Craig - Sam Ruby >> On Dec 12, 2017, at 5:51 AM, Craig Russell <apache....@gmail.com> wrote: >> >> I'd like to continue the discussion on the project/icla topic. >> >> I've been thinking about the entire process of committer invitations and the >> project/icla just handles the last bit. I'd like to include the whole >> process from discussion to vote to invite. >> >> Discussion: >> >> Whimsy allows a PMC/PPMC member to kick off a discussion of a potential >> committer/pmc member. The form has a drop down for committee and entry >> fields for email address and GivenName(s) FamilyName, and text. Clicking >> (submit) sends email to priv...@pmc.apache.org subject: [DISCUSS] Committer >> status for GivenName FamilyName and includes the email address and text that >> the pmc member entered and a link to >> whimsy.apache.org/project/discuss?token=458974235879543789. >> >> Pmc members can add comments from a text box that will be stored and shown >> to others who click the link. >> >> Voting: >> >> Once discussion has died down, the original pmc member can call for a vote >> by filling a vote text box and clicking (vote). This will send email to the >> pmc private list with a link to the discussion (lists.apache.org/xxx) and >> whimsy.apache.org/project/vote?token=458974235879543789. >> >> The first pmc member who clicks the link will see the vote text box and a >> form with: >> >> (0) +1 >> (0) -1 >> (0) +0 >> (0) -0 >> <text box for comments> >> >> Other pmc members who click the link will see all other votes and comments >> and can vote as above. >> >> Clicking (submit) will send email to the pmc private list with all of the >> comments and a link to the same page. >> >> Anyone on the pmc can close the vote by clicking (close vote). This will >> send email with subject [RESULT][VOTE] and an email to board with [NOTICE] >> GivenName FamilyName for <pmc> PMC. >> >> After 72 hours, the pmc member can visit the >> whimsy.apache.org/project/vote?token=458974235879543789 link and click >> (invite). This will then bring up the project/icla form if the candidate >> does not already have an icla on file. If the candidate does already have an >> icla but does not have an apache id, it will bring up the account request >> form. Finally, if the candidate has an apache id, it will bring up the "add >> to project" form. >> >> Craig L Russell >> Secretary, Apache Software Foundation >> c...@apache.org http://db.apache.org/jdo >> > > Craig L Russell > Secretary, Apache Software Foundation > c...@apache.org http://db.apache.org/jdo >
