On Sat, Mar 19, 2022 at 11:07:17PM +0100, Fabio Valentini wrote: > On Sat, Mar 19, 2022 at 11:03 PM Kevin Fenzi <ke...@scrye.com> wrote: > > > > On Sat, Mar 19, 2022 at 10:58:59PM +0100, Fabio Valentini wrote: > > > > > > Oh, I think I know what's going on. I looked at > > > src.fedoraproject.org/user/$user. > > > But those group memberships are only synced if the user logs in, AFAIK? > > > So ... do these packagers retain provenpackager capabilities in > > > dist-git so long as they never log in? :) > > > > Yeah. Group memberships are refreshed there on login. > > > > But no one could use that, as if they logged in, it would refresh and > > not let them use provenpackager access since they are no longer in the > > group. > > Well, in the GUI, yes, but what about the access controls in git > pre-receive hooks? > You don't need to log in with the web GUI to do "fedpkg clone; do > 'malicious changes'; git commit -m 'spec cleanup'; git push".
I think it does check... but I am not sure. Will check with pingou about that. kevin
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
