[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DDP project on Alioth and security on gluck

On Sun, Feb 01, 2004 at 11:39:03PM +0100, Javier Fernández-Sanguino Peña wrote:
> It turns out that _any_ account that has CVS rw access in alioth, or even a
> user who can access alioth itself and compromise its security (which is
> "lower" security from my PoV than gluck since its open to many more users). 
> Somebody that wants to compromise klecker can just use shell script code in 
> the DDP CVS and he's done.
> Notice that this is a very different situation from using Alioth as a, for 
> example, source code repository for a package since an abuser is certain 
> that his code will be run at least once if he times it right (makes the CVS 
> change just before the cronjob) without giving a change for other CVS users 
> to review the changes.
> I'm not against having the document data up at alioth, but any
> script/Makefile or whatever that is going to be run periodically at 
> other system should be kept outside of Alioth and more tightly controlled.

IMHO this is the way to go. Currently the data files require pserver and
ssh access for a lots of people, who are not necessarily DDs, so are less trustable.
I'm thinking to sponsered contributors for instance. Having this kind of
accesses on gluck (as it was before the November events) is not a
good policy for security. We share main LDAP accounts there, so it has 
to be avoided.

Currently alioth has a completely different authorization database
and that's definitively a good thing, because we can open access to
a large base of people there, as it was in the past.

Scripts can be instead run on gluck as you say, on a trustable snapshot
of data files only.
That's should be done once for the stable release, and on a (maybe) weekly 
base for the development version. That can be done by splitting the current
tree in a data tree and a scripts/makefiles tree. That's not complicated 
at all.
The scripts tree needs to stay on gluck (with access by a few DDs only),
the data tree on alioth.

> I'm arguing against moving the DDP to Alioth since that change will need 
> time to be developed, lets first sort that out and then move to Alioth.

Yes, having a working repository is a priority, but we will have a very
restricted access anyway, and we will need a large base of writers ASAP.
In the meantime, current users/passwords on gluck ddp needs to be removed, too.
They are obsolete and dangerous. Exposing a complete cvs server (script+sgmls) 
on gluck to a so large number of people should be deprecated.

I hope being clear in my explanations. Divide et impera is the way to go.

Francesco P. Lovergine

Reply to: