FESco meeting summary for 20090507
Bill Nottingham
notting at redhat.com
Mon May 11 21:57:52 UTC 2009
Toshio Kuratomi (a.badger at gmail.com) said:
> One thing that was mentioned was the lack of fs acls at the moment.
> After looking at what we have now, I'm not sure that fs acls fix
> anything that's not also broken currently.
>
> Currently:
>
> * the cvs repository has no fs acls
> * unix group for all directories is set to packager with a sticky group bit.
> * the cvs acl script limits who can actually commit to packages to
> @provenpackager and the specific people involved.
>
> Implementation-wise, the proposal would allow the cvs acl script to have
> @packager as another allowed group so people who are just in the
> packager group can commit to a specific package.
>
> I can see fs acls being used to lock down our repo against bugs in the
> cvs acl script or being used to replace the cvs acl script. But that
> seems to be somewhat separate from the proposal. I don't think it would
> solve anything specific to the proposal but could make things more
> secure for both the current and proposed method.
>
> notting, do you see something that I don't?
You *could* swap the permissions so that all packages are only
provenpackager-writable, and implement packager (and owner) access
via FS acls.
Whether that scales or not is another matter.
Bill
More information about the fedora-devel-list
mailing list