Re: RFC: Securing maintainer uploads to master.gnome.org



On Thu, Nov 10, 2011 at 10:21:17PM -0500, Ray Strode wrote:
> On Thu, Nov 10, 2011 at 6:47 AM, Olav Vitters <olav vitters nl> wrote:
> > 3. Access is determined using "doap" files
> > 4. If you're not in the doap file of that module, you cannot upload
> It's pretty common for people not listed as maintainers in the doap
> files to do releases, especially for the lesser maintained modules.  I
> don't think that's a bad thing, either.

Whom? Developers of the module who aren't listed as maintainer, or just
a random person wanting to release a new tarball of e.g. bonobo or
libgnome?

Note that ftp-release-list does say when it is a non-maintainer upload.
It adds the header X-Maintainer-Upload: True if it was uploaded by a
maintainer, False if not.

My worry is the following:
1. Give random person git.gnome.org account
2. Random person creates new module, immediately gets permissions to
master.gnome.org
3. Random person uploads new gtk+ / libgnome

Now, when uploading, ftpadmin always informs the maintainers and it
shows who uploaded it, etc. But still, it seems a bit easy? I like the
"do what you want", but atm you still need to ask accounts gnome org for
upload permissions and because that is a manual thing, it seems to
prevent a lot of abuse.
-- 
Regards,
Olav


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]