CVSROOT: /cvsroot/administration
Module name: administration
Branch:
Changes by: Sylvain Beucler <[EMAIL PROTECTED]> 05/05/08 20:36:04
Modified files:
docs/hacking_savannah: hacking_savannah.texi
Log message:
Added a project approval check-list.
Fixed a couple bugs.
CVSWeb URLs:
http://savannah.gnu.org/cgi-bin/viewcvs/administration/administration/docs/hacking_savannah/hacking_savannah.texi.diff?tr1=1.107&tr2=1.108&r1=text&r2=text
Patches:
Index: administration/docs/hacking_savannah/hacking_savannah.texi
diff -u administration/docs/hacking_savannah/hacking_savannah.texi:1.107
administration/docs/hacking_savannah/hacking_savannah.texi:1.108
--- administration/docs/hacking_savannah/hacking_savannah.texi:1.107 Wed Apr
20 21:45:36 2005
+++ administration/docs/hacking_savannah/hacking_savannah.texi Sun May 8
20:36:03 2005
@@ -1,5 +1,5 @@
\input texinfo @c -*-texinfo-*-
[EMAIL PROTECTED] $Id: hacking_savannah.texi,v 1.107 2005/04/20 21:45:36 Beuc
Exp $
[EMAIL PROTECTED] $Id: hacking_savannah.texi,v 1.108 2005/05/08 20:36:03 Beuc
Exp $
@comment %**start of header
@setfilename hacking_savannah.info
@include version.texi
@@ -528,62 +528,83 @@
@example
# Create the directory structure
-$ mkdir demoCA
-$ cd demoCA
-$ mkdir newcerts
-$ mkdir private
-$ echo "01" > serial
-$ touch index.txt
+mkdir -p tls/demoCA
+cd tls/demoCA
+mkdir newcerts
+mkdir private
+echo "01" > serial
+touch index.txt
+cd ..
[EMAIL PROTECTED] example
+
+Your directory structure is now fine.
[EMAIL PROTECTED]
# Create the root certificate
-$ cd ..
-$ openssl req -new -x509 -keyout demoCA/private/cakey.pem \
+openssl req -new -x509 -keyout demoCA/private/cakey.pem \
-out demoCA/cacert.pem
[EMAIL PROTECTED]
-Country Name (2 letter code) [AU]:US
-State or Province Name (full name) [Some-State]:MA
-Locality Name (eg, city) []:Boston
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:FSF
-Organizational Unit Name (eg, section) []:Certificate Authority
-Common Name (eg, YOUR name) []:FSF
+# <output config="corvus">
+Country Name (2 letter code) [AU]:@kbd{US}
+State or Province Name (full name) [Some-State]:@kbd{MA}
+Locality Name (eg, city) []:@kbd{Boston}
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:@kbd{FSF}
+Organizational Unit Name (eg, section) []:@kbd{Certificate Authority}
+Common Name (eg, YOUR name) []:@kbd{FSF}
Email Address []:savannah-hackers@@gnu.org
+# </output>
+
+# <output config="Beuc">
+Country Name (2 letter code) [AU]:@kbd{US}
+State or Province Name (full name) [Some-State]:@kbd{MA}
+Locality Name (eg, city) []:@kbd{Boston}
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:@kbd{FSF}
+Organizational Unit Name (eg, section) []:@kbd{Savannah}
+Common Name (eg, YOUR name) []:@kbd{Savannah Hackers}
+Email Address []:savannah-hackers-public@@gnu.org
+# </output>
+
# Generate savannah.gnu.org certificate
# Incidentally, it seems the country name has to be the same than in
# CA key. Weird...
-$ openssl req -new -keyout savannah_gnu_pass.key -out savannah_gnu.csr
-Country Name (2 letter code) [AU]:US
-State or Province Name (full name) [Some-State]:MA
-Locality Name (eg, city) []:Boston
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:FSF
-Organizational Unit Name (eg, section) []:Webserver Team
-Common Name (eg, YOUR name) []:savannah.gnu.org
-Email Address []:savannah-hackers@@gnu.org
+openssl req -new -keyout savannah_gnu_pass.key -out savannah_gnu.csr
+# <output>
+Country Name (2 letter code) [AU]:@kbd{US}
+State or Province Name (full name) [Some-State]:@kbd{MA}
+Locality Name (eg, city) []:@kbd{Boston}
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:@kbd{FSF}
+Organizational Unit Name (eg, section) []:@kbd{Webserver Team}
+Common Name (eg, YOUR name) []:@kbd{savannah.gnu.org}
+Email Address []:@kbd{savannah-hackers@@gnu.org}
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
-$ openssl ca -in savannah_gnu.csr -out savannah_gnu.crt
+# </output>
+# Alternatively you can create a passwordless key straight away:
+##openssl req -new -nodes -keyout lists.key -out lists.csr
+# Parse the certificate request
+openssl ca -in savannah_gnu.csr -out savannah_gnu.crt
# Generate savannah.gnu.org certificate - same as savannah_gnu, but
# with CN=savannah.nongnu.org
-$ openssl req -new -keyout savannah_nongnu_pass.key -out savannah_nongnu.csr
-$ openssl ca -in savannah_nongnu.csr -out savannah_nongnu.crt
+openssl req -new -keyout savannah_nongnu_pass.key -out savannah_nongnu.csr
+openssl ca -in savannah_nongnu.csr -out savannah_nongnu.crt
# Create passphrase-less keys for use in Apache (no need to type the
# passphrase on Apache startup)
-$ openssl rsa -in savannah_gnu_pass.key -out savannah_gnu.key
-$ openssl rsa -in savannah_nongnu_pass.key -out savannah_nongnu.key
+openssl rsa -in savannah_gnu_pass.key -out savannah_gnu.key
+openssl rsa -in savannah_nongnu_pass.key -out savannah_nongnu.key
# Make sure nobody can read the private keys
-$ chmod 600 *.key demoCA/private/*
+chmod 600 *.key demoCA/private/*
# Time to copy everything in apache
-$ cp -a demoCA/private/cakey.pem /etc/apache/ssl.key/ca.key
-$ cp demoCA/private/cacert.pem /etc/apache/ssl.crt/ca.crt
-$ cp -a *.key /etc/apache/ssl.key
-$ cp *.crt /etc/apache/ssl.crt
+cp -a demoCA/private/cakey.pem /etc/apache/ssl.key/ca.key
+cp demoCA/private/cacert.pem /etc/apache/ssl.crt/ca.crt
+cp -a *.key /etc/apache/ssl.key
+cp *.crt /etc/apache/ssl.crt
@end example
@@ -604,6 +625,29 @@
@url{savannah.nongnu.org}'s and the root certificate). Update it as
well through @file{administration/web/tls}.
+To create additional certificate, if you lost the demoCA directory,
+recreate the directory structure:
[EMAIL PROTECTED]
+mkdir -p ~/tls/demoCA
+cd ~/tls/demoCA
+mkdir newcerts
+mkdir private
+echo "100" > serial
+touch index.txt
[EMAIL PROTECTED] example
+
+We used ``100'' so we won't confuse with the other certificates.
+
+And populate it:
+
[EMAIL PROTECTED]
+cp -a /etc/apache/ssl.key/ca.key demoCA/private/cakey.pem
+cp /etc/apache/ssl.crt/ca.crt demoCA/private/cacert.pem
+openssl req -new -nodes -keyout lists.key -out lists.csr
[EMAIL PROTECTED]
[EMAIL PROTECTED] example
+
+
Last, grab @file{/etc/apache/httpd.conf} from savannah.gnu.org as well
as included @file{vhosts-gnu.org} and @file{vhosts-nongnu.org}, and
@@ -1969,6 +2013,14 @@
@node Mailman installation, , Spam, Mailing lists administration
@section Mailman installation
[EMAIL PROTECTED]
+* Debian stable::
+* Fedora Core 2::
[EMAIL PROTECTED] menu
+
[EMAIL PROTECTED] Debian stable, Fedora Core 2, Mailman installation, Mailman
installation
[EMAIL PROTECTED] Debian stable
+
For our test install, let's first configure a simple and working mail
system.
@@ -2254,21 +2306,21 @@
And in the directors section, append:
@example
ml_admin_director:
- domains=lists.gnu, lists.nongnu
+ domains=DOMAINS
driver = smartuser
suffix = -admin
require_files = MAILMAN_ROOT/lists/[EMAIL PROTECTED]:[EMAIL
PROTECTED]/config.db
transport = ml_admin_transport
ml_request_director:
- domains=lists.gnu, lists.nongnu
+ domains=DOMAINS
driver = smartuser
suffix = -request
require_files = MAILMAN_ROOT/lists/[EMAIL PROTECTED]:[EMAIL
PROTECTED]/config.db
transport = ml_request_transport
ml_director:
- domains=lists.gnu, lists.nongnu
+ domains=DOMAINS
driver = smartuser
require_files = MAILMAN_ROOT/lists/[EMAIL PROTECTED]:[EMAIL
PROTECTED]/config.db
transport = ml_transport
@@ -2278,6 +2330,95 @@
multiple domain Savannah-style (allows a list to be available at
multiple domains).
+Currently, this configuration doesn't work, and I dunno why >(
+
+
[EMAIL PROTECTED] Fedora Core 2, , Debian stable, Mailman installation
[EMAIL PROTECTED] Fedora Core 2
+
[EMAIL PROTECTED] is surprisingly not running Debian stable, but
+Fedora Core 2, with newer version of Exim and Mailman.
+
+TODO: explain how to install those and reproduce the configuration
+file - good luck.
+
+Now, let's assume we have a working system. What do we do?
+
[EMAIL PROTECTED]
+* Try #1::
[EMAIL PROTECTED] menu
+
[EMAIL PROTECTED] Try #1, , Fedora Core 2, Fedora Core 2
[EMAIL PROTECTED] Try #1
+
+We install
+Savane. Considering that the Savannah hackers do not have root access
+there, we'll have to make this a user installation.
+
+Setting up our root:
[EMAIL PROTECTED]
+cd ~
+mkdir savannah
+cd savannah
+mkdir -p etc/stunnel etc/savannah share src var/run
[EMAIL PROTECTED] example
+
+
+Configuring stunnel. This doesn't work yet, we have to clear all the
+certificates mess.
+
[EMAIL PROTECTED]
+# [Server configuration]
+cert = /home/list/savannah/etc/stunnel/lists.crt
+pid = /home/list/var/run/stunnel.pid
+# destination port uses SSL or TLS
+client = yes
+
+# [Debug mode]
+foreground = yes
+output = /dev/stdout
+debug = 7
+
+[savannah-mysql-ssl]
+accept = 12345 # from (default host = localhost)
+connect = savannah.gnu.org:12345 # to
[EMAIL PROTECTED] example
+
+
+Installing Savane. This is a basic installation of Savane, except that
+it will take place in ~list/savannah.
+
[EMAIL PROTECTED]
+cd ~/savannah/src
+cvs -d:pserver:anonymous@@cvs.gna.org:/cvs/savane login
+cvs -d:pserver:anonymous@@cvs.gna.org:/cvs/savane co savane
+cd savane
+./configure
[EMAIL PROTECTED] example
+
+Ok, this doesn't work, because Apache is part of group mailman, and
+user @samp{list} @emph{is} user @samp{mailman}, so this would allow
+any security hole in the whole Apache or Mailman configuration to mess
+with the Savannah database.
+
+Besides, M. Sysadmin is not in favor of that, because it exposes the
+database to the outside - well to lists.gnu.org.
+
+However, with a separate user, and good MySQL permissions (including
+restricted table scope and v4+ built-in remote SSL authentication),
+this solution would be ok. This is what must be used at Gna!. Of
+course, if we could place the DB on a separate local network, that
+would be great. Meanwhile...
+
[EMAIL PROTECTED] Try #2
+
+The rationale is that @samp{savannah} can't trust @samp{lists},
+because @samp{lists} could get cracked into.
+
+Conclusion: we only give read access, and offer something similar to
+web services.
+
+It would be good to end up using XML-RPC consistenly; right now I'm in a hurry
so we'll use Jim's Python script.
@node Some Savannah tasks, Frequent support requests, Mailing lists
administration, Top
@chapter Some Savannah tasks
@@ -3046,6 +3187,7 @@
aimed at new volunteers who may only help with projects reviews.
@menu
+* The check-list::
* Prerequisites::
* Approving projects::
* Approval Criteria::
@@ -3056,7 +3198,39 @@
* New volunteers::
@end menu
[EMAIL PROTECTED] Prerequisites, Approving projects, Projects approval,
Projects approval
+
[EMAIL PROTECTED] The check-list, Prerequisites, Projects approval, Projects
approval
[EMAIL PROTECTED] The check-list
+
[EMAIL PROTECTED] @bullet
[EMAIL PROTECTED]
+Runs primarily on a free operating system
[EMAIL PROTECTED]
+No proprietary dependencies (libraries, framework, compiler...)
[EMAIL PROTECTED]
+GNU GPL-compatible license (exceptions: Affero GPL, GFDL)
[EMAIL PROTECTED]
+No license incompatibility with dependencies
[EMAIL PROTECTED]
+Appropriate copyright and license notices
[EMAIL PROTECTED]
+No patented format (GIF, MP3)
[EMAIL PROTECTED]
+Appropriate vocabulary (@emph{GNU/Linux} and @emph{Free Software})
[EMAIL PROTECTED]
+No download-only project
[EMAIL PROTECTED] itemize
+
+If the project is approved:
[EMAIL PROTECTED] @bullet
[EMAIL PROTECTED]
+If type is 'GNU', forward to gnueval-input@@gnu.org
[EMAIL PROTECTED]
+If type is 'www.gnu.org translation project', create as non-GNU for now, and
notify webmasters@@gnu.org.
[EMAIL PROTECTED] itemize
+
+
[EMAIL PROTECTED] Prerequisites, Approving projects, The check-list, Projects
approval
@section Prerequisites
Reviewing projects requires notions of licensing, GNU policies, and
_______________________________________________
Savannah-cvs mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/savannah-cvs
