[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Plan for tomorrows (20070816) FESCO meeting



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thorsten Leemhuis wrote:
> Something related to this: I'd like to open my packages by default for
> sponsors and a (not-yet-existent group) long-term-contributors(¹). Could
> FESCo consider making something like this possible?
> 
> Reasons for that wish: I have no problem with other people modifying my
> packages (²), but I think the risk of opening lots of packages in CVS
> for alls cvs_extras members is to high, as it's not that hard for a
> malicious attacker to get sponsored (site note: especially as the "hit
> CTRL + C at the right moment and non or and incomplete commit message
> gets send" problems is still not solved and thus it's not that hard to
> modify something in CVS without being noticed early enough).
> 
> CU
> knurd
> 
> (¹) -- long-term in this case maybe defined as something like this:
> people that have at least ten packages or have three packages and are
> around for at least one year
> 
> (²) -- as I said in the past now and then already: I still like us to
> see a more wiki-like approach where modifying other peoples packages is
> not frowned upon as it is currently
> 
FESCO keeps discussing this and it's something infrastructure knows is
desired.  However, there's several parts that need to be completed in
order to enable this and we don't have a clear plan of how to achieve
this.  We have to create new groups in the account system to handle the
division of "long term packagers" vs non-long term and we have to figure
out how to define levels for outside consumers of the account system
(right now, the user-sponsor-admin levels are only available internally
to the account system.)  Once those hurdles are dealt with we still have
 to figure out how to map the results into the cvs server and packagedb.
 In the past we discussed using filesystem acls to enforce this.  We've
recently added group code to the cvs server so that's a good alternative.

Ticket tracking this is here:
  https://hosted.fedoraproject.org/projects/packagedb/ticket/28

- -Toshio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGxcO/X6yAic2E7kgRAvuGAJ4yajnk32BLGyLiS2wjySIYO0vZiwCglAPL
T7cNSli1IeBWP2r7caUCaGw=
=iG/5
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]