Re: RFC: Securing maintainer uploads to master.gnome.org

From: Tristan Van Berkom <tvb gnome org>
To: desktop-devel-list gnome org
Subject: Re: RFC: Securing maintainer uploads to master.gnome.org
Date: Fri, 11 Nov 2011 11:07:50 -0500

On Fri, Nov 11, 2011 at 4:50 AM, Olav Vitters <olav vitters nl> wrote:
> On Thu, Nov 10, 2011 at 07:47:26PM -0500, Tristan Van Berkom wrote:
>>    I think it's nice that currently we can upload win32 and osx builds of gnome
>> modules/apps and have them available on gnome servers, if we take away
>> shell access then perhaps the install-module/ftpadmin script should be
>> enhanced to allow this (afaik the only way currently is to manually place
>> a file somewhere on master.gnome.org).
>
> Any pointers on what you need? It should be enhanced, yes. Ftpadmin
> takes a file and then based on the filename it figures out where to
> store it. For binary stuff, I think we should agree on the way the files
> are named. This so ftpadmin can figure out where to store it on
> 'ftp.gnome.org'.

That sounds like it would work perfectly to me, we might have
some standard platform suffixes after the module name and before the
version suffix, like: module-win32-1.0.0.tar.bz2, (win64, osx...)

If there are multiple ways of distributing packages on the same
platforms, it might make sense to have separate names for those.

Windows unfortunately I think is more tricky than osx as specially
since people want to download libraries pre-built and use them in thier
packages (i.e. people dont want to build GTK+ on win32) you might really
want to know that you are downloading something that's linked with
cygwin, was built with MSYS/mingw, or was compiled with some
particular version of MSVC....

I don't know, perhaps it's better to allow the publishing maintainer to specify
the name of the 'platform' suffix directory name... and avoid bike shedding
what all these directory names might be...

>
> If possible, I want to first get rid of the majority of the shell
> accounts and still allow the old way. Then whomever complains gets a
> shell, but then I'll work to remove the shell again ;)
>
>> Other than that I think the only interaction I ever needed with master.gnome.org
>> was to hook the autogeneration of glade.gnome.org website to a git commit
>> hook or such (and it probably shouldn't have been me doing that anyway...).
>
> This I don't get. Master.gnome.org is just to release tarballs. If you
> need a post-commit git rule, just file a bug with
> https://bugzilla.gnome.org/browse.cgi?product=sysadmin. If
> glade.gnome.org is on a gnome server, then it should be pretty easy to
> setup (already have post-commit scripts in place; only need to run "git
> config" on git.gnome.org).

Right, it was a couple years ago I guess, but I have in my bash history
some references to the directory:
   /usr/local/www/gnomeweb/hooks/glade-web

The site still updates properly... but the directory does not exist anymore
on master.gnome.org ;-)

This was really just a corner case where we were copying the functionality
of the pygtk site... and ideally only a sysadmin should be able to touch
those things anyway.

Cheers,
         -Tristan

> --
> Regards,
> Olav
> _______________________________________________
> desktop-devel-list mailing list
> desktop-devel-list gnome org
> http://mail.gnome.org/mailman/listinfo/desktop-devel-list
>

References:
- RFC: Securing maintainer uploads to master.gnome.org
  - From: Olav Vitters
- Re: RFC: Securing maintainer uploads to master.gnome.org
  - From: Maciej Marcin Piechotka
- Re: RFC: Securing maintainer uploads to master.gnome.org
  - From: Olav Vitters
- Re: RFC: Securing maintainer uploads to master.gnome.org
  - From: Tristan Van Berkom
- Re: RFC: Securing maintainer uploads to master.gnome.org
  - From: Olav Vitters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]