Re: [gentoo-dev] Proposed security policy for web-based apps
On Fri, 2005-07-08 at 12:58 +0200, Martin Schlemmer wrote: Stupid question .. why does webapps.eclass have SLOT=${PVR} ? If you're running a hosting server, and have many customers using the same app, it may not be practical to bump them all at the same time. * They may have different busy periods during the day, making it impossible to schedule a common downtime. * Many upgrades require manual steps - it's less disruptive to upgrade each installation one at a time. * Different customers may want or need to run different versions of the same app. If a customer is happy with what they have, they may not wish to upgrade. This basically means that even a bump from foo-webapp-1.0-r1 to foo-webapp-1.0-r2 will not unmerge foo-webapp-1.0-r1 ... If you don't have USE=vhosts set, then the eclass will automatically unmerge the older version. If you have USE=vhosts set, then you're telling Portage that you need the flexibility of running webapp-config manually. Best regards, Stu -- Stuart Herbert [EMAIL PROTECTED] Gentoo Developer http://www.gentoo.org/ http://stu.gnqs.org/diary/ GnuGP key id# F9AFC57C available from http://pgp.mit.edu Key fingerprint = 31FB 50D4 1F88 E227 F319 C549 0C2F 80BA F9AF C57C -- signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Proposed security policy for web-based apps
On Sun, 10 Jul 2005 09:57:44 +0100 Stuart Herbert [EMAIL PROTECTED] wrote: It'd perhaps make sense to extend the DTD for metadata.xml, so that the maintainer tag has 'type' and 'organisation' attributes. This would allow tools to tell the difference between an entry for a Gentoo maintainer, and an entry for an upstream maintainer. Why modifying the DTD? We did something like this recently with mail-filter/razor, in agreement with $upstream, and all that was needed was the 'description' tag, which is already present in the DTD. -- Andrej Ticho Kacian ticho at gentoo dot org Gentoo Linux Developer - net-mail, antivirus, amd64 pgpYzxlW3CxkO.pgp Description: PGP signature
Re: [gentoo-dev] Proposed security policy for web-based apps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stuart Herbert wrote: snip Thoughts, comments, other (constructive) feedback? Best regards, Stu Sorry for my delayed response.. Just now getting caught up on my mail from the last week. I'm definitely in favor of something like this. Btw, I agree with Mike and Lance wrt to keeping upstream email contact in metadata.xml. It'll be much easier for tools, etc, to be able to get that information. Cheers - -- We all know Linux is great...it does infinite loops in 5 seconds. -- Linus Torvalds Aaron Walker [EMAIL PROTECTED] [ BSD | cron | forensics | shell-tools | commonbox | netmon | vim | web-apps ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCzkpqC3poscuANHARAmgiAKCF9kF1vEDcPI0SwKWxrGdCxMlNbACeJ1bU L06uBQA2YTTRBSeoINYQIpw= =Cwqr -END PGP SIGNATURE- -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Proposed security policy for web-based apps
On 7/5/05, Stuart Herbert [EMAIL PROTECTED] wrote: I'd like to introduce the following security policy for web-based apps. Why only web-based apps? What about other tools and apps exposed to the network? -- radoslaw. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Proposed security policy for web-based apps
Mike Frysinger wrote: On Tuesday 05 July 2005 04:21 pm, Stuart Herbert wrote: 1. The Gentoo package's maintainer will identify one *named* contact UPSTREAM for security-related matters, and one named general contact UPSTREAM (as a fallback for when the security contact is unreachable). 2. This information will be held on the Dev Wiki. wtf is the Dev Wiki ? what's wrong with metadata.xml ? Yeah, having it in metadata.xml would make more sense. -- Lance Albertson [EMAIL PROTECTED] Gentoo Infrastructure | Operations Manager --- GPG Public Key: http://www.ramereth.net/lance.asc Key fingerprint: 0423 92F3 544A 1282 5AB1 4D07 416F A15D 27F4 B742 ramereth/irc.freenode.net signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Proposed security policy for web-based apps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stuart Herbert wrote: Hi, snip 1. The Gentoo package's maintainer will identify one *named* contact UPSTREAM for security-related matters, and one named general contact UPSTREAM (as a fallback for when the security contact is unreachable). 2. This information will be held on the Dev Wiki. 3. This information will be checked every three months to ensure it remains valid. Are you volunteering to do 3? If not, who will? 4. In situations where the UPSTREAM contacts are unreachable, and no new contact can be identified, the package will be masked and marked for removal from the Portage tree (ie it fails this policy) snip... Thoughts, comments, other (constructive) feedback? Best regards, Stu -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQIVAwUBQssBL2zglR5RwbyYAQKf8Q//QqbVG+xReAF5WyZMHOfOS0zoM0UJZRFJ M7WM28JVR6aNAD4hVcv8EKVMLvt6nPiIu2REsO9ZrZwzIdBm8uLxqdnX76ZysW/6 h10igkCBa78RfuNHbul4muPk1SyAWg3ZextltaMXPrO8bDfoTENcLzp8+NqDyqel 6Ncr/pEcZnEJABKmDfuT/ehtI89+wps51Fkdq7wa8z+EXGCDd1HGNTA3x1OImgDM VaHlLjGVS1lLcXGmZYKCZGvfKzbF/d9xJZ/LwdG+CpJD02avJ4iVv/51y/eGiVzm CwB9d+5wCq5YZFBLOXr8HXFJhYkzSXuGZfbKXisdhzui5MqpErpMQw1TNATY//ha HfFlYjnftS2vjzO/M9aiQqdqXF4HiejKRJGWVwxcqenFjj566t+uTvomwgI/2YLi /yimNyoyG3/ueLLSEMtyo6MURrjT9bbohUVH7pMr3RHNbNjtn3K9omEB4Ngh8L2q kA3hjoQRy1a6gNhG6eHg0j9sBmGb2TEBK/nMKCdyqONH+X/cdGCMIreMxcZ5pqu7 hBD/azcZI8jJr+tb0y3NHcfaT653HDAyeyOCD1OiDDlZeqzi1IGGW1p0ZHqg5J/+ NiGXnbCBT6NKzjvYfQ4nMYJaHGoZQDj8wHyFSUGKUFLjQ+L9X1ros8a1URhfinRf 0pDyFPfTmAI= =6nmQ -END PGP SIGNATURE- -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Proposed security policy for web-based apps
On Tue, 05 Jul 2005 21:21:35 +0100 Stuart Herbert [EMAIL PROTECTED] wrote: Hi, I'd like to introduce the following security policy for web-based apps. If there are no objections, every new web-based app will have to conform to the policy before it can be added to the tree. Every existing web-based app will have to conform to the policy by the end of August, or I will remove it from the tree. [snip] Hmm, what's the criteria to decide if something falls under this policy or not? Package category, maintainership, dependency on webserver, ...? Marius -- Public Key at http://www.genone.de/info/gpg-key.pub In the beginning, there was nothing. And God said, 'Let there be Light.' And there was still nothing, but you could see a bit better. pgpYnGgYbSlEK.pgp Description: PGP signature