[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: FESco meeting summary for 20090507



Toshio Kuratomi (a badger gmail com) said: 
> One thing that was mentioned was the lack of fs acls at the moment.
> After looking at what we have now, I'm not sure that fs acls fix
> anything that's not also broken currently.
> 
> Currently:
> 
> * the cvs repository has no fs acls
> * unix group for all directories is set to packager with a sticky group bit.
> * the cvs acl script limits who can actually commit to packages to
> @provenpackager and the specific people involved.
> 
> Implementation-wise, the proposal would allow the cvs acl script to have
> @packager as another allowed group so people who are just in the
> packager group can commit to a specific package.
> 
> I can see fs acls being used to lock down our repo against bugs in the
> cvs acl script or being used to replace the cvs acl script.  But that
> seems to be somewhat separate from the proposal.  I don't think it would
> solve anything specific to the proposal but could make things more
> secure for both the current and proposed method.
> 
> notting, do you see something that I don't?

You *could* swap the permissions so that all packages are only
provenpackager-writable, and implement packager (and owner) access
via FS acls.

Whether that scales or not is another matter.

Bill


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]