also sprach Sitaram Chamarty <sitaram@atc.tcs.com> [2010.02.04.1400 +1300]:
> True. However, my concept of a workstation-originated install in
> the APT case would be different from that described above. See
> below.
Thanks for taking the time to reply to our distro-specific
discussion!
> > In fact, I think the easy-install script, as nice as it is, should
> > not be installed by the Debian package.
>
> as that script looks now, yes, I agree.
>
> Easy install conceptually does 2 different things: (1) copy
> the actual code to the right places, and then (2) setup the
> RC file, create the initial repos (gitolite-admin and
> testing), and run the install/compile scripts to setup the
> authkeys file.
>
> It's only #1 that causes the problem you described. #2 does
> not; you can have a "setup my gitolite" script that does #2
> for each user who wants to host his own repos using his own
> userid.
Absolutely. Essentially, this is what I proposed: assuming that #1
is taken care of elsewhere (APT), I tried to enumerate the steps #2
would have to do, since I could not figure out how to make
gl-install or gl-easy-install do just those steps.
If the two were split up into e.g. gl-install-remote and
gl-setup-local (to be run via SSH on the target machine), then
yes... there would be no reason to use anything other than
gl-setup-local.
gl-easy-install would simply combine the two.
> When there is an upgrade, the software (what I called #1 above)
> would be upgraded by APT, and even workstation originated installs
> would use it so that's fine.
The issue I am addressing is that Bob might have installed gitolite
on his workstation, and used gl-install-remote to push it to Server.
The next day, you discover a bug in gitolite, which allows Mallory
write-access. You fix it and Alice, who maintains gitolite for
Debian, immediately publishes the updated package.
The next day, Bob's machine is upgraded and the software fixed, but
Bob doesn't actually know about any of this, and thus he does not
run gl-install-remote to upgrade his install. Mallory writes bad
code into Bob's repository, and the world explodes.
If instead gitolite were installed on the server and managed by APT,
then Bob would have set up his instance with gl-setup-local, and
when Alice's update hit the APT mirror and Server's admin upgraded
the machine, Mallory would be locked out.
Does this make sense?
--
.''`. martin f. krafft <madduck@d.o> Related projects:
: :' : proud Debian developer http://debiansystem.info
`. `'` http://people.debian.org/~madduck http://vcs-pkg.org
`- Debian - when you have better things to do than fixing systems
if voting could really change things, it would be illegal.
-- revolution books, new york
Attachment:
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)