[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#819773: RFS: python-path-and-address/1.0.0-1 [ITP]

Mattia,

On 4 April 2016 at 21:37, Mattia Rizzolo <mattia@debian.org> wrote:
> yep, saw the mail that day, but didn't pay much attention back then.

There's no problem.

> This is basically a security feature, I think, not a bug.
>
> Though you should be able to fix it more manually by directly editing
> the HEAD file.
>
> but this time I just run the command for you :)
>
> This turned the HEAD file to be group Debian again and I can't have it
> back to scm_collab-maint as I'm not in the collab-maint anymore.
>
> Yeah, permissions on collab-maint (and alioth in general) are just a
> mess....
> If you have troubles with file permissions on collab-maint feel free to
> mail me if you don't have any nearby DD..

Turns out that the "Debian" group is for DDs... Makes sense. Thanks
for fixing this. I'll surely reach you in case I need something like
that again.

> DSA has nothing to do with alioth (sadly?), there is only one active
> person with root on moszumanska (which is the guy that replied to you
> last time, iirc), but he won't chgrp the directory (as afaik he made
> them gid:Debian exactly because he wants to avoid external messing with
> repositories (if the root directory was writable by you you would be
> able to do anything with the config and the hooks, and that's a security
> trouble on collab-maint where everybody has access).

I see. The problem is that the repository is writable by the owner,
who can edit any configs/hooks. I had a problem in this case because I
was not the one who created it.

It is indeed quite hard to take care of a place where so many people
can write to.

> Yep, even if I'm always wary of this.
> I'm a guy who prefers using the tarballs as provided upstream.
> I wrote this item before noticing that you used .xz, so a different
> tarball than upstream.
> Fine by me, I see how this is enough for this case.

Now I understood. You mean a byte-to-byte identical tarball, not
identical regarding its contents only. I see this as enough by now
too. If the upstream starts releasing signed tarballs we can changed
that.

> ok, yes I know it's more popular.  To me it seems "Expat" is known only
> within Debian, heh :)

Actually, now that you mentioned I guess I had never ever heard of the
"Expat License" outside Debian...

> going to set myself as owner, will look at it somewhen tomorrow though.

Well, looks like you already take a look a few minutes ago. :-)

> Well, I uploaded it :D
>
> I also tagged the repository.

It is on the NEW queue right now. The tag detail is also pretty nice.
Fetched it.

Thank you very much, Mattia!

Regards,
Tiago.

-- 
Tiago "Myhro" Ilieve
Blog: https://blog.myhro.info/
GitHub: https://github.com/myhro
LinkedIn: https://br.linkedin.com/in/myhro
Montes Claros - MG, Brasil
Reply to: