Hi,
On Sat, Jan 31, 2004 at 08:21:28PM +0100, Javier Fernández-Sanguino Peña wrote:
> On Fri, Jan 30, 2004 at 10:38:35PM +0100, Osamu Aoki wrote:
> > > I already asked for this and it should have been done _before_ moving the
> > > DDP project for Alioth. I could only check the latest HEAD branch against
> > > several HEAD copies (mine included) and all changes looked ok to me, but
> > > was not able to review all the history for the scripts.
> >
> > OK, ... but realistically what is the danger to have non-HEAD branch
> > containing malicious data. If it is script, there may be remote chance
> > but if it is document itself, I see almost null chance.
>
> As Joy said already, and I do agree. There's no danger in not checking
> non-HEAD branches of documents, there is a slight problem with scripts,
> specially since those get run on our infraestructure. Both HEAD and history
> should be carefully reviewed. It's not something I demand, it is something
> that debian-admin demands for all CVS services before they are restored.
That's why we only reactivate manuals module for now. Script have been
checked.
> > > That would be all the list of 'users' in the old CVSRoot. You could also
> > > gather one based on the history of changes of all the documents. BTW, have
> > > you contacted the translation teams at all?
> >
> > He is doing it now. DDP members active are supposed to be reading this
> > list. It is good way to ping actives.
>
> There are DDP members that are not reading the list. Notably, a number of
> translators are probably not subscribed to this list.
Everybody that need to access to the cvsroot can simply ask. Note that
Joey Hess did that for the d-i cvsroot, and everything is OK.
> > I am practical. I am not pushing this. What is wrong to move to
> > alioth. It is CVS afterall. Just different hostname.
>
> I'm not against moving stuff to Alioth, as I've already said. I'm against
> doing it without contacting everyone, also without following the steps
> requested by Debian admins:
> http://lists.debian.org/debian-devel-announce/2003/debian-devel-announce-200312/msg00001.html
> (see "When is [my/foo] service coming back(, you [etc.])?"
>
> > > Do you have a clear plan on how to have gluck regenerate all the
> > > documentation in HTML format based on the Alioth sources? Have
> > > you discussed this with debian-admin@?
> >
> > Yes, that a goos idea. Ask them to provide tar of CVSROOT. Wait... it
> > looks like everything has moved. I do not see it on gluck. :-) I
> > guess Francesco or Pierre relocated it already.
>
> ¿? I'm not talking about they providing a tar, I'm talking about how is
> www.debian.org/doc going to get updated when the sources are up at Alioth.
> Since gluck had both the CVS and the the WWW repository it was trivial to
> have a cronjob to run the stuff, I'm not that sure admin's will like to run
> scripts in gluck that are extracted from Alioth in a cronjob, that has a
> lot of potential for abuse.
[...]
I don't understand why you speak about abuse, since you can log in through
ssh. As Osamu point out, webwml is in the same situation.
cvs hosted on gluck
check out on klecker
Anyway I Cc: debian-admin.
Cheers,
--
Pierre Machard
<pmachard@debian.org> http://debian.org
GPG: 1024D/23706F87 : B906 A53F 84E0 49B6 6CF7 82C2 B3A0 2D66 2370 6F87
Attachment:
signature.asc
Description: Digital signature