Python, VCSs, ssh keys and Transifex
Karsten Wade
kwade at redhat.com
Thu Jul 12 00:14:48 UTC 2007
On Wed, 2007-07-11 at 21:30 +0200, Jeroen van Meeuwen wrote:
> A possible solution might be though, to have Transifex store the
> submitted PO's in /some/path/transifex, and then have another user
> account lift it's files and metadata, commit it to the pulled source
> repository (signed with GPG), and then push it upstream (with SSH
> priv/pub keys). Storing those passwords (plaintext or decryptable) would
> make just as much sense to me as allowing empty passwords to use these
> keys, but at least you prevent the webinterface from ever reaching those
> keys or files.
Seems like an idea to pursue. If httpd is the user doing the TurboGears
part, then have a transifexd that does the actual commits. That
separation of the Web interface plus a good SELinux policy might be
enough. How to trigger it? Or let it run as a full-time daemon?
The risk, folks, is that we get compromised and someone cracks an
upstream SCM through our servers. Just think about that. Enough to
turn a warm beer cold.
- Karsten
--
Karsten Wade, 108 Editor ^ Fedora Documentation Project
Sr. Developer Relations Mgr. | fedoraproject.org/wiki/DocsProject
quaid.108.redhat.com | gpg key: AD0E0C41
////////////////////////////////// \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20070711/c2b3965e/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list