[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Changing the ACL policy for alioth projects (Was: Unable to push debian-jr changes)

On Tue, Mar 31, 2015, at 03:30, Andreas Tille wrote:
> since I have cared for ACLs set on all projects I have admin permissions
> I always (obviously wrongly - see[1]) assume that people do so as well
> in their projects.  I experienced the same issue yesterday in
> pkg-openstack: The fact that there is a way to grant commit permissions
> to any DD to VCSs on alioth is widely unknown even if it is mentioned in
> the Alioth FAQ[2].
> I hereby like to propose that the default on Alioth will be that ACLs
> are set to grant write permissions for DDs *by default* and project
> admins need to ask admins to revert this if they have good reasons to
> prevent any DD from writing to their VCS.
> Any opinions?

This is quite a large security risk, IMHO.  The reason people don't adjust the ACLs is that they are not really paying attention to them in the first place.  And that happens because we are, as a rule, quite bad at documenting things properly **in places people will come across that documentation**.  We often have good documentation, but not anywhere people will find unless they're specifically hunting it down.

At least in collab-maint, you expect things to be changed under you, so you pay extra attention to what is happening.

Also, we have been through the nightmare of compromised DD SSH keys at least twice now, and cleanup was quite troublesome. And that was without indiscriminate write access.

Besides, why the heck should every DD have write access to guest-hosted projects in Alioth, for example?  Why should anyone that is not a project admin have write access to the git hooks?  and so on.

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique de Moraes Holschuh <hmh@debian.org>

Reply to: