subject:"\[gentoo\-dev\] Proposed security policy for web\-based apps"

Re: [gentoo-dev] Proposed security policy for web-based apps

2005-07-10 Thread Stuart Herbert

On Fri, 2005-07-08 at 12:58 +0200, Martin Schlemmer wrote:
 Stupid question .. why does webapps.eclass have SLOT=${PVR} ? 

If you're running a hosting server, and have many customers using the
same app, it may not be practical to bump them all at the same time.

* They may have different busy periods during the day, making it
impossible to schedule a common downtime.  
* Many upgrades require manual steps - it's less disruptive to upgrade
each installation one at a time.
* Different customers may want or need to run different versions of the
same app.  If a customer is happy with what they have, they may not wish
to upgrade.

 This
 basically means that even a bump from foo-webapp-1.0-r1 to
 foo-webapp-1.0-r2 will not unmerge foo-webapp-1.0-r1 ...

If you don't have USE=vhosts set, then the eclass will automatically
unmerge the older version.  If you have USE=vhosts set, then you're
telling Portage that you need the flexibility of running webapp-config
manually.

Best regards,
Stu


-- 
Stuart Herbert [EMAIL PROTECTED]
Gentoo Developer  http://www.gentoo.org/
  http://stu.gnqs.org/diary/

GnuGP key id# F9AFC57C available from http://pgp.mit.edu
Key fingerprint = 31FB 50D4 1F88 E227 F319  C549 0C2F 80BA F9AF C57C
--


signature.asc
Description: This is a digitally signed message part

Re: [gentoo-dev] Proposed security policy for web-based apps

2005-07-10 Thread Andrej Kacian

On Sun, 10 Jul 2005 09:57:44 +0100
Stuart Herbert [EMAIL PROTECTED] wrote:

 It'd perhaps make sense to extend the DTD for metadata.xml, so that the
 maintainer tag has 'type' and 'organisation' attributes.  This would
 allow tools to tell the difference between an entry for a Gentoo
 maintainer, and an entry for an upstream maintainer.

Why modifying the DTD? We did something like this recently with
mail-filter/razor, in agreement with $upstream, and all that was needed was
the 'description' tag, which is already present in the DTD.

-- 
Andrej Ticho Kacian ticho at gentoo dot org
Gentoo Linux Developer - net-mail, antivirus, amd64


pgpYzxlW3CxkO.pgp
Description: PGP signature

Re: [gentoo-dev] Proposed security policy for web-based apps

2005-07-08 Thread Aaron Walker

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Stuart Herbert wrote:

snip

 Thoughts, comments, other (constructive) feedback?
 
 Best regards,
 Stu

Sorry for my delayed response.. Just now getting caught up on my mail from the
last week.

I'm definitely in favor of something like this.  Btw, I agree with Mike and
Lance wrt to keeping upstream email contact in metadata.xml.  It'll be much
easier  for tools, etc, to be able to get that information.

Cheers
- --
We all know Linux is great...it does infinite loops in 5 seconds.

   -- Linus Torvalds

Aaron Walker [EMAIL PROTECTED]
[ BSD | cron | forensics | shell-tools | commonbox | netmon | vim | web-apps ]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCzkpqC3poscuANHARAmgiAKCF9kF1vEDcPI0SwKWxrGdCxMlNbACeJ1bU
L06uBQA2YTTRBSeoINYQIpw=
=Cwqr
-END PGP SIGNATURE-
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Proposed security policy for web-based apps

2005-07-06 Thread Radoslaw Stachowiak

On 7/5/05, Stuart Herbert [EMAIL PROTECTED] wrote:
 I'd like to introduce the following security policy for web-based apps.

Why only web-based apps? What about other tools and apps exposed to the network?

-- 
radoslaw.

-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Proposed security policy for web-based apps

2005-07-05 Thread Lance Albertson

Mike Frysinger wrote:
 On Tuesday 05 July 2005 04:21 pm, Stuart Herbert wrote:
 
1. The Gentoo package's maintainer will identify one *named* contact
   UPSTREAM for security-related matters, and one named general contact
   UPSTREAM (as a fallback for when the security contact is
   unreachable).
2. This information will be held on the Dev Wiki.
 
 
 wtf is the Dev Wiki ?  what's wrong with metadata.xml ?

Yeah, having it in metadata.xml would make more sense.

-- 
Lance Albertson [EMAIL PROTECTED]
Gentoo Infrastructure | Operations Manager

---
GPG Public Key:  http://www.ramereth.net/lance.asc
Key fingerprint: 0423 92F3 544A 1282 5AB1  4D07 416F A15D 27F4 B742

ramereth/irc.freenode.net


signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] Proposed security policy for web-based apps

2005-07-05 Thread Alec Warner

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Stuart Herbert wrote:
 Hi,
 
snip
 
 1. The Gentoo package's maintainer will identify one *named* contact
UPSTREAM for security-related matters, and one named general contact
UPSTREAM (as a fallback for when the security contact is
unreachable).
 2. This information will be held on the Dev Wiki.
 3. This information will be checked every three months to ensure it
remains valid.

Are you volunteering to do 3?  If not, who will?

 4. In situations where the UPSTREAM contacts are unreachable, and no
new contact can be identified, the package will be masked and
marked for removal from the Portage tree (ie it fails this policy)
 snip...
 Thoughts, comments, other (constructive) feedback?
 
 Best regards,
 Stu
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQIVAwUBQssBL2zglR5RwbyYAQKf8Q//QqbVG+xReAF5WyZMHOfOS0zoM0UJZRFJ
M7WM28JVR6aNAD4hVcv8EKVMLvt6nPiIu2REsO9ZrZwzIdBm8uLxqdnX76ZysW/6
h10igkCBa78RfuNHbul4muPk1SyAWg3ZextltaMXPrO8bDfoTENcLzp8+NqDyqel
6Ncr/pEcZnEJABKmDfuT/ehtI89+wps51Fkdq7wa8z+EXGCDd1HGNTA3x1OImgDM
VaHlLjGVS1lLcXGmZYKCZGvfKzbF/d9xJZ/LwdG+CpJD02avJ4iVv/51y/eGiVzm
CwB9d+5wCq5YZFBLOXr8HXFJhYkzSXuGZfbKXisdhzui5MqpErpMQw1TNATY//ha
HfFlYjnftS2vjzO/M9aiQqdqXF4HiejKRJGWVwxcqenFjj566t+uTvomwgI/2YLi
/yimNyoyG3/ueLLSEMtyo6MURrjT9bbohUVH7pMr3RHNbNjtn3K9omEB4Ngh8L2q
kA3hjoQRy1a6gNhG6eHg0j9sBmGb2TEBK/nMKCdyqONH+X/cdGCMIreMxcZ5pqu7
hBD/azcZI8jJr+tb0y3NHcfaT653HDAyeyOCD1OiDDlZeqzi1IGGW1p0ZHqg5J/+
NiGXnbCBT6NKzjvYfQ4nMYJaHGoZQDj8wHyFSUGKUFLjQ+L9X1ros8a1URhfinRf
0pDyFPfTmAI=
=6nmQ
-END PGP SIGNATURE-
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Proposed security policy for web-based apps

2005-07-05 Thread Marius Mauch

On Tue, 05 Jul 2005 21:21:35 +0100
Stuart Herbert [EMAIL PROTECTED] wrote:

 Hi,
 
 I'd like to introduce the following security policy for web-based
 apps. If there are no objections, every new web-based app will have
 to conform to the policy before it can be added to the tree.  Every
 existing web-based app will have to conform to the policy by the end
 of August, or I will remove it from the tree.

[snip]

Hmm, what's the criteria to decide if something falls under this policy
or not? Package category, maintainership, dependency on webserver, ...?

Marius

-- 
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.


pgpYnGgYbSlEK.pgp
Description: PGP signature

Re: [gentoo-dev] Proposed security policy for web-based apps

Re: [gentoo-dev] Proposed security policy for web-based apps

Re: [gentoo-dev] Proposed security policy for web-based apps

Re: [gentoo-dev] Proposed security policy for web-based apps

Re: [gentoo-dev] Proposed security policy for web-based apps

Re: [gentoo-dev] Proposed security policy for web-based apps

Re: [gentoo-dev] Proposed security policy for web-based apps

7 matches

Site Navigation

Mail list logo

Footer information