[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Python, VCSs, ssh keys and Transifex



On Wed, 2007-07-11 at 21:30 +0200, Jeroen van Meeuwen wrote:

> A possible solution might be though, to have Transifex store the
> submitted PO's in /some/path/transifex, and then have another user
> account lift it's files and metadata, commit it to the pulled source
> repository (signed with GPG), and then push it upstream (with SSH
> priv/pub keys). Storing those passwords (plaintext or decryptable) would
> make just as much sense to me as allowing empty passwords to use these
> keys, but at least you prevent the webinterface from ever reaching those
> keys or files.

Seems like an idea to pursue.  If httpd is the user doing the TurboGears
part, then have a transifexd that does the actual commits.  That
separation of the Web interface plus a good SELinux policy might be
enough.  How to trigger it?  Or let it run as a full-time daemon?

The risk, folks, is that we get compromised and someone cracks an
upstream SCM through our servers.  Just think about that.  Enough to
turn a warm beer cold.

- Karsten
-- 
   Karsten Wade, 108 Editor       ^     Fedora Documentation Project 
 Sr. Developer Relations Mgr.     |  fedoraproject.org/wiki/DocsProject
   quaid.108.redhat.com           |          gpg key: AD0E0C41
////////////////////////////////// \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]