: Proposal: Improve security by limiting committer access in SVN
-- KEYS Compromise Exposure
Dennis E. Hamilton wrote on Mon, Apr 29, 2013 at 10:31:14 -0700:
5. This is sufficient to poison a download mirror site with
a counterfeit download so long as the ASC, SHA1, and MD5 locations
can
-Original Message-
From: Daniel Shahaf [mailto:danie...@apache.org]
Sent: Monday, April 29, 2013 15:58
To: Dennis E. Hamilton
Cc: dev@openoffice.apache.org; pesce...@apache.org
Subject: Re: Proposal: Improve security by limiting committer access in
SVN -- KEYS Compromise Exposure
[mailto:pesce...@apache.org]
Sent: Thursday, April 04, 2013 10:44
To: dev@openoffice.apache.org
Subject: Re: Proposal: Improve security by limiting committer access in SVN
Rob Weir wrote:
On Thu, Apr 4, 2013 at 11:57 AM, Andrea Pescetti wrote:
2) The only possible solution would be an authz rule like
Dennis E. Hamilton wrote on Mon, Apr 29, 2013 at 10:31:14 -0700:
5. This is sufficient to poison a download mirror site with
a counterfeit download so long as the ASC, SHA1, and MD5 locations
can also be spoofed without the user noticing.
Right. The normal answer here is They will have
: Daniel Shahaf [mailto:danie...@apache.org]
Sent: Monday, April 29, 2013 15:58
To: Dennis E. Hamilton
Cc: dev@openoffice.apache.org; pesce...@apache.org
Subject: Re: Proposal: Improve security by limiting committer access in SVN --
KEYS Compromise Exposure
Dennis E. Hamilton wrote on Mon, Apr 29
: Improve security by limiting committer access in SVN
-- KEYS Compromise Exposure
Dennis E. Hamilton wrote on Mon, Apr 29, 2013 at 10:31:14 -0700:
5. This is sufficient to poison a download mirror site with
a counterfeit download so long as the ASC, SHA1, and MD5 locations
can also be spoofed
-by-project.html#openoffice.
- Dennis
-Original Message-
From: Andrea Pescetti [mailto:pesce...@apache.org]
Sent: Saturday, April 06, 2013 09:47
To: dev@openoffice.apache.org
Cc: Joe Schaefer
Subject: Re: Proposal: Improve security by limiting committer access in SVN
[ ... ]
Committer rights
On Wed, Apr 3, 2013 at 5:39 AM, Rob Weir robw...@apache.org wrote:
We're starting to take a deeper look at what is required to integrate code
signing into the OpenOffice build and release process. As you probably know
operating systems, especially Windows and MacOS, are now checking for
On Wed, Apr 3, 2013 at 11:30 PM, Louis Suárez-Potts lui...@gmail.comwrote:
Thanks, Rob, et al.,
On 13-04-03, at 22:22 , Peter Junge peter.ju...@gmx.org wrote:
One way of implementing this would be to look at all commits for the
past 6
months (or 1 year?) and remove authorization on
Rob Weir wrote:
On Thu, Apr 4, 2013 at 11:57 AM, Andrea Pescetti wrote:
2) The only possible solution would be an authz rule like suggested by
Dave here; however, Infra quite discourages it, mainly for maintenance
reasons. This leads me to think we would need some good justifications for
On 4 April 2013 19:44, Andrea Pescetti pesce...@apache.org wrote:
Rob Weir wrote:
On Thu, Apr 4, 2013 at 11:57 AM, Andrea Pescetti wrote:
2) The only possible solution would be an authz rule like suggested by
Dave here; however, Infra quite discourages it, mainly for maintenance
reasons.
Subject: Re: Proposal: Improve security by limiting committer access in SVN
Dave Fisher wrote:
Let's focus only on adding one new authz list for the code tree.
Call it openoffice-coders and populate it with those who HAVE any
commit activity in the current code tree.
I checked feasibility
-
From: Andrea Pescetti [mailto:pesce...@apache.org]
Sent: Thursday, April 04, 2013 08:57
To: dev@openoffice.apache.org
Subject: Re: Proposal: Improve security by limiting committer access in SVN
Dave Fisher wrote:
Let's focus only on adding one new authz list for the code tree
: Andrea Pescetti [mailto:pesce...@apache.org]
Sent: Thursday, April 04, 2013 08:57
To: dev@openoffice.apache.org
Subject: Re: Proposal: Improve security by limiting committer access
in SVN
Dave Fisher wrote:
Let's focus only on adding one new authz list for the code tree
:44
To: dev@openoffice.apache.org
Subject: Re: Proposal: Improve security by limiting committer access in SVN
On Thu, Apr 4, 2013 at 11:57 AM, Andrea Pescetti pesce...@apache.org
wrote:
Dave Fisher wrote:
Let's focus only on adding one new authz list for the code tree.
Call
@openoffice.apache.org
Subject: Re: Proposal: Improve security by limiting committer access
in SVN
Dave Fisher wrote:
Let's focus only on adding one new authz list for the code tree.
Call it openoffice-coders and populate it with those who HAVE any
commit activity in the current code tree.
I
. Mechanical solutions may be part of the disease, not the cure
[;).
- Dennis
-Original Message-
From: Andrea Pescetti [mailto:pesce...@apache.org]
Sent: Thursday, April 04, 2013 08:57
To: dev@openoffice.apache.org
Subject: Re: Proposal: Improve security
solutions may be part of the disease, not the cure
[;).
- Dennis
-Original Message-
From: Andrea Pescetti [mailto:pesce...@apache.org]
Sent: Thursday, April 04, 2013 08:57
To: dev@openoffice.apache.org
Subject: Re: Proposal: Improve security by limiting
: Thursday, April 04, 2013 08:57
To: dev@openoffice.apache.org
Subject: Re: Proposal: Improve security by limiting committer
access
in SVN
Dave Fisher wrote:
Let's focus only on adding one new authz list for the code tree.
Call it openoffice-coders and populate
, not
the
cure
[;).
- Dennis
-Original Message-
From: Andrea Pescetti [mailto:pesce...@apache.org]
Sent: Thursday, April 04, 2013 08:57
To: dev@openoffice.apache.org
Subject: Re: Proposal: Improve security by limiting committer
access
in SVN
To: dev@openoffice.apache.org
Subject: Re: Proposal: Improve security by limiting committer
access
in SVN
Dave Fisher wrote:
Let's focus only on adding one new authz list for the code
tree.
Call it openoffice-coders and populate it with those who HAVE
any
-Original Message-
From: Andrea Pescetti [mailto:pesce...@apache.org]
Sent: Thursday, April 04, 2013 08:57
To: dev@openoffice.apache.org
Subject: Re: Proposal: Improve security by limiting committer
access
in SVN
Dave Fisher wrote:
Let's focus
,
-Rob
From: Rob Weir robw...@apache.org
To: dev@openoffice.apache.org dev@openoffice.apache.org
Sent: Thursday, April 4, 2013 3:53 PM
Subject: Re: Proposal: Improve security by limiting committer access in
SVN
On Thu, Apr 4, 2013 at 3:17 PM, janI j
security by limiting committer access in SVN
[ ... ]
But with OpenOffice, there was a two week period of time when we rapidly
bootstrapped the community by making people committers automatically, on
day 1. All they had to do is put their name on a wiki page and return an
ICLA and they were committers
it work. But it should be extremely rare.
-Rob
- Dennis
-Original Message-
From: Rob Weir [mailto:robw...@apache.org]
Sent: Thursday, April 04, 2013 12:54
To: dev@openoffice.apache.org
Subject: Re: Proposal: Improve security by limiting committer access in SVN
be part of the disease, not
the
cure
[;).
- Dennis
-Original Message-
From: Andrea Pescetti [mailto:pesce...@apache.org]
Sent: Thursday, April 04, 2013 08:57
To: dev@openoffice.apache.org
Subject: Re: Proposal: Improve security by limiting committer
access
in SVN
Dave
I think restricting this would be a horrible idea, since we still have
a shortage of developers. Limiting it by permissions and creating a
red tape would be even more problematic. I think the key here is about
the aproved releases. I don't really use windows, so I am not very
familiar with the
On Wed, Apr 3, 2013 at 8:57 AM, Alexandro Colorado j...@oooes.org wrote:
I think restricting this would be a horrible idea, since we still have
a shortage of developers. Limiting it by permissions and creating a
red tape would be even more problematic. I think the key here is about
the
On 3 April 2013 14:39, Rob Weir robw...@apache.org wrote:
We're starting to take a deeper look at what is required to integrate code
signing into the OpenOffice build and release process. As you probably know
operating systems, especially Windows and MacOS, are now checking for
digital
On Wed, Apr 3, 2013 at 9:06 AM, janI j...@apache.org wrote:
On 3 April 2013 14:39, Rob Weir robw...@apache.org wrote:
We're starting to take a deeper look at what is required to integrate
code
signing into the OpenOffice build and release process. As you probably
know
operating systems,
On 4/3/13 3:13 PM, Rob Weir wrote:
On Wed, Apr 3, 2013 at 9:06 AM, janI j...@apache.org wrote:
On 3 April 2013 14:39, Rob Weir robw...@apache.org wrote:
We're starting to take a deeper look at what is required to integrate
code
signing into the OpenOffice build and release process. As you
On 4/3/13, Rob Weir robw...@apache.org wrote:
On Wed, Apr 3, 2013 at 8:57 AM, Alexandro Colorado j...@oooes.org wrote:
I think restricting this would be a horrible idea, since we still have
a shortage of developers. Limiting it by permissions and creating a
red tape would be even more
janI wrote:
But we have to very carefull not make it even harder to become/be
committer, compare us a bit with LO, there I can have commit access
within less than a day.
Hi Jan,
just to get this straight - we try hard to have your patch committed /
initial feedback provided in a day. Getting
On 03/04/2013 16:13, Rob Weir wrote:
On Wed, Apr 3, 2013 at 9:06 AM, janI j...@apache.org wrote:
On 3 April 2013 14:39, Rob Weir robw...@apache.org wrote:
We're starting to take a deeper look at what is required to integrate
code
signing into the OpenOffice build and release process. As you
Jürgen Schmidt wrote: [...]
On 3 April 2013 14:39, Rob Weirrobw...@apache.org wrote:
one change to our current process that will, I think, greatly increase
security. This would be to restrict SVN authorization for the code
I don't think this would greatly increase security, since the
: Proposal: Improve security by limiting committer access in SVN
Jürgen Schmidt wrote: [...]
On 3 April 2013 14:39, Rob Weirrobw...@apache.org wrote:
one change to our current process that will, I think, greatly increase
security. This would be to restrict SVN authorization for the code
I don't
- Dennis
-Original Message-
From: Andrea Pescetti [mailto:pesce...@apache.org]
Sent: Wednesday, April 03, 2013 10:46
To: dev@openoffice.apache.org
Subject: Re: Proposal: Improve security by limiting committer access in SVN
Jürgen Schmidt wrote: [...]
On 3 April 2013 14:39, Rob
On Wed, Apr 3, 2013 at 1:45 PM, Andrea Pescetti pesce...@apache.org wrote:
Jürgen Schmidt wrote: [...]
On 3 April 2013 14:39, Rob Weirrobw...@apache.org wrote:
one change to our current process that will, I think, greatly increase
security. This would be to restrict SVN authorization for
On 3 April 2013 22:30, Rob Weir robw...@apache.org wrote:
On Wed, Apr 3, 2013 at 1:45 PM, Andrea Pescetti pesce...@apache.org
wrote:
Jürgen Schmidt wrote: [...]
On 3 April 2013 14:39, Rob Weirrobw...@apache.org wrote:
one change to our current process that will, I think, greatly
.
- Dennis
-Original Message-
From: Rob Weir [mailto:robw...@apache.org]
Sent: Wednesday, April 03, 2013 13:17
To: dev@openoffice.apache.org; orc...@apache.org
Subject: Re: Proposal: Improve security by limiting committer access in SVN
[ ... ]
It is not about trusting the committers
-Original Message-
From: Rob Weir [mailto:robw...@apache.org]
Sent: Wednesday, April 03, 2013 13:17
To: dev@openoffice.apache.org; orc...@apache.org
Subject: Re: Proposal: Improve security by limiting committer access in SVN
[ ... ]
It is not about trusting the committers. It is about
Le 03/04/2013 15:13, Rob Weir a écrit :
3) We have those who are voted in as committers and might access other, non
SVN systems. They use their Apache ID's to write blog posts, access Pootle
directly, or maybe even just the SMTP servers. But they never touch SVN at
all.
I'm one of these
Am 04/03/2013 10:58 PM, schrieb janI:
On 3 April 2013 22:30, Rob Weirrobw...@apache.org wrote:
On Wed, Apr 3, 2013 at 1:45 PM, Andrea Pescettipesce...@apache.org
wrote:
Jürgen Schmidt wrote: [...]
On 3 April 2013 14:39, Rob Weirrobw...@apache.org wrote:
one change to our current
I'm going to top-post. I agree that this is a good idea, but I want to define
it expansively as a positive.
(1) The current authz that defines all of the AOO committers must be preserved.
This is used to generate foundation information like:
On Wed, Apr 3, 2013 at 4:58 PM, janI j...@apache.org wrote:
On 3 April 2013 22:30, Rob Weir robw...@apache.org wrote:
On Wed, Apr 3, 2013 at 1:45 PM, Andrea Pescetti pesce...@apache.org
wrote:
Jürgen Schmidt wrote: [...]
On 3 April 2013 14:39, Rob Weirrobw...@apache.org wrote:
On 4/3/2013 9:05 PM, Rob Weir wrote:
On Wed, Apr 3, 2013 at 8:57 AM, Alexandro Colorado j...@oooes.org wrote:
I think restricting this would be a horrible idea, since we still have
a shortage of developers. Limiting it by permissions and creating a
red tape would be even more problematic. I
Thanks, Rob, et al.,
On 13-04-03, at 22:22 , Peter Junge peter.ju...@gmx.org wrote:
One way of implementing this would be to look at all commits for the
past 6
months (or 1 year?) and remove authorization on /trunk, /tag and
/branches
for those who have not made commits. But preserve
47 matches
Mail list logo
