Hi,
On Thu, Nov 10, 2011 at 6:47 AM, Olav Vitters wrote:
> 3. Access is determined using "doap" files
> 4. If you're not in the doap file of that module, you cannot upload
It's pretty common for people not listed as maintainers in the doap
files to do releases, especially for the lesser maintaine
I think it's nice that currently we can upload win32 and osx builds of gnome
modules/apps and have them available on gnome servers, if we take away
shell access then perhaps the install-module/ftpadmin script should be
enhanced to allow this (afaik the only way currently is to manually place
a f
On Thu, Nov 10, 2011 at 03:19:07PM +, Maciej Marcin Piechotka wrote:
> On Thu, 2011-11-10 at 12:47 +0100, Olav Vitters wrote:
> > My thoughts to secure this is:
> > 1. Get rid of shell for ideally everyone (maintainers, release team,
> > etc)
> > 2. Uploads are done using:
> >a. rsync over
On Thu, 2011-11-10 at 12:47 +0100, Olav Vitters wrote:
> Loads of people currently have access to master.gnome.org as to upload
> tarballs. This is currently done by handing out shell access to these
> people.
>
> If any of the 350+ has their machine compromised, someone could easily
> use that to
On Thu, Nov 10, 2011 at 12:05:14PM +, Alan Cox wrote:
> >a. rsync might be annoying / unreliable
> >b. don't think you can delete easily with rsync
> >c. more annoying than e.g. sftp or scp
>
> Talk to H Peter Anvin about the new kernel.org tools, they may do what
> you need as wel
On Thu, 2011-11-10 at 12:47 +0100, Olav Vitters wrote:
> Loads of people currently have access to master.gnome.org as to upload
> tarballs. This is currently done by handing out shell access to these
> people.
>
> If any of the 350+ has their machine compromised, someone could easily
> use that to
> If any of the 350+ has their machine compromised, someone could easily
> use that to reach shell on master.gnome.org. I don't want that to be
> possible.
If you have 350+ users with hosts and some of them were shared wth
kernel.org in the past I'd suggest "When" or "Probably" not "If"
>a. r
Loads of people currently have access to master.gnome.org as to upload
tarballs. This is currently done by handing out shell access to these
people.
If any of the 350+ has their machine compromised, someone could easily
use that to reach shell on master.gnome.org. I don't want that to be
possible.