Re: RFC: Securing maintainer uploads to


On Fri, Nov 11, 2011 at 3:22 AM, Alan Cox <alan lxorguk ukuu org uk> wrote:
> Locking stuff down means reducing the attack surface (eg getting rid of
> shell accounts) and who can write stuff to trusted repositories. It
> doesn't mean contorting the release process. You just need to have the
> signing policy right. Giving everyone read access isn't a big deal, its
> write access that causes the problem - either to modify repositories or
> to put up fake releases. The latter can to a fair extent be handled by
> enforcing the upload be of a signed file with an appropriate signature
> for the destination.

I understand the arguments for per module ACLs (be it for commits, or
releases).  I understand they close down an attack vector.

I just don't think it's necessary in practice.  These kinds of things
can be handled through social means just as they always have. (version
control has been open since the 90s without issue!)

If we really have to lock down the release, it should be something
handled at the very end of the process, where a random gnomie can do a
one off release as a favor or to get a bug fix/feature he has vested
interested in deployed and it sits in moderation until given a quick
rubber stamp. It would be much better to avoid that red tape, though.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]