Re: Bug#840104: Encrypted uploads to the security archive

To: Ansgar Burchardt <ansgar@debian.org>, debian-wb-team@lists.debian.org, 840104@bugs.debian.org
Subject: Re: Bug#840104: Encrypted uploads to the security archive
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Wed, 14 Feb 2018 21:25:09 +0100
Message-id: <[🔎] 20180214202509.GA30639@aurel32.net>
Mail-followup-to: Ansgar Burchardt <ansgar@debian.org>, debian-wb-team@lists.debian.org, 840104@bugs.debian.org
In-reply-to: <[🔎] 20180213062203.GA26872@aurel32.net>
References: <20161008100601.e3wra2odjkmkky5a@roeckx.be> <878tce28gi.fsf@43-1.org> <04b64307-7eb6-1293-e6b2-bccc535d957f@philkern.de> <[🔎] 87d11pdpl2.fsf@43-1.org> <[🔎] f0a43b2f-a75a-00fc-0fcf-5686cb04b2bc@philkern.de> <[🔎] 87zi4s2yvm.fsf@43-1.org> <[🔎] 20180213062203.GA26872@aurel32.net>

On 2018-02-13 07:22, Aurelien Jarno wrote:
> On 2018-02-01 22:17, Ansgar Burchardt wrote:
> > Philipp Kern writes:
> > > On 01.02.2018 10:30, Ansgar Burchardt wrote:
> > [...]
> > >> There is already a `buildd-uploader` role account on the upload hosts
> > >> both main and security archive, a `rsync-ssh-wrap` script, and someone
> > >> also set up authorized_keys.
> > >> 
> > >> I'm just not sure if it is already in use for security uploads?  I
> > >> believe it was used for uploads to the main archive already (not sure if
> > >> it currently is?).
> > >
> > > Indeed, it uses rsync over SSH through dupload. For security it uses
> > > FTP. Interestingly an rsync-security dupload.conf entry exists, but it
> > > doesn't seem to be used[1].
> > 
> > Hmm, maybe we should try if it does the right thing?  The wrapper script
> > should ignore the `chmod` call I mentioned in #876900, so the uploaded
> > files shouldn't even be readable by other DDs.

Note that the chmod has been ignored in the wrapper script since almost
the beginning of its existence.

> The problem there is that rsync when used with dupload forces the
> uploaded file to be world readable, until the package is moved out from
> the upload directory by dupload.

I have found a way to force rsync permissions to 0640. I have applied
that to the wrapper script. Following that I have switched the upload
queue on the build daemons to the SSH one.

I guess this basically solves this bug.

Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

Reply to:

References:
- Re: Bug#840104: Encrypted uploads to the security archive
  - From: Ansgar Burchardt <ansgar@debian.org>
- Re: Bug#840104: Encrypted uploads to the security archive
  - From: Philipp Kern <pkern@debian.org>
- Re: Bug#840104: Encrypted uploads to the security archive
  - From: Ansgar Burchardt <ansgar@debian.org>
- Re: Bug#840104: Encrypted uploads to the security archive
  - From: Aurelien Jarno <aurelien@aurel32.net>

Prev by Date: Re: Bug#840104: Encrypted uploads to the security archive
Next by Date: Issue with m68k@buildd.debian.org + giveback rrdtool on m68k + questions on vs92
Previous by thread: Re: Bug#840104: Encrypted uploads to the security archive
Next by thread: Re: Bug#840104: Encrypted uploads to the security archive
Index(es):
- Date
- Thread