|
Hi Andreas, On 02/08/2013 02:00 PM, Andreas Tille wrote: Andreas asked if we should use GIT. Yes please. How do I/we do that?I remember Charles has given a hint to a script which does the job. >From my *personal* perspective it is fine to forget about the history and just create a fresh Git repository as described in Debian Med policy document. I could imagine that V6.0-002 release might be a good starting point (if it is expected in the not so distant future) because you save the trouble with the dirty tarball and can straight import from upstream. But finally it is your choice to do it right now. [amul:5] For GIT conversion, I found the following links. I'll give them a try once we're ready to release the V6.0-001 package/ http://wiki.debian.org/Alioth/Git#Convert_a_SVN_Alioth_repository_to_Git http://lists.debian.org/debian-med/2009/11/msg00006.html [amul:5] Let's not wait for V6.0-002. I have a strong feeling that we will need some deployment changes to the package that we won't find in my simple tests. And by strong feeling, I mean that I've been burned often enough by small deployment problems What remains: - I need a DEP3 compliant explanation of the suppression of the gtmsechr setuid and permissions. [amul:5] Where should I put the explanation for the suppression options? [amul:5] How is the following for a DEP3 compliant explanation? ------------------------------------------------------------------------------- Author: Amul Shah <Amul.Shah@fisglobal.com> Description: FIS GT.M uses a setuid binary to facilitate multi-user access to database shared memory [description adapted from the Admin and Operations Guide] FIS GT.M (hereby referred to as just GT.M) processes run with normal UNIX user and group ids. GT.M has no database daemon that needs to run with elevated privileges. Process code written in M will be able to read a database file if and only if the process has read permission for that database file, and to update that database file if and only if the process has read/write permission for that database file. Processes with normal user and group ids do not have adequate permissions to effect necessary GT.M interprocess communication and cleanup after abnormal process termination. A process called gtmsecshr runs as root in order to effect the following functionality: - Interprocess communication, including sending SIGALARM and SIGCONT between processes where normal UNIX permissions do not permit such signals to be sent. - Cleanup after processes that terminate abnormally, including removing semaphores, shared memory segments, and flushing database file headers (but not database blocks) from shared memory segments to disk. Whenever a GT.M process lacks adequate permissions to effect any of the above operations, it automatically invokes gtmsecshr if it is not already running. In order to run as root, and to be invoked by a process that has normal user and group ids, the invocation chain for gtmsecshr requires an executable image that is
owned by root and which has the setuid
bit turned on in its file permissions.There are two images named gtmsecshr, one located in /usr/lib/fis-gtm/<version>_<arch>/gtmsecshr and /usr/lib/fis-gtm/<version>_<arch>/gtmsecshrdir/gtmsecshr. /usr/lib/fis-gtm/<version>_<arch>/gtmsecshr exists to sanitize the UNIX environment and to validate that the permissions on /usr/lib/fis-gtm/<version>_<arch>/gtmsecshrdir and /usr/lib/fis-gtm/<version>_<arch>/gtmsecshrdir/gtmsecshr match its expectations. The permissions expectations for each path are listed in octal notation: 4755 /usr/lib/fis-gtm/<version>_<arch>/gtmsecshr 0500 /usr/lib/fis-gtm/<version>_<arch>/gtmsecshrdir 4500 /usr/lib/fis-gtm/<version>_<arch>/gtmsecshrdir/gtmsecshr ------------------------------------------------------------------------------- Thanks, Amul
_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. |