[2012-09-06 17:39:03 +0200] Florian Pritz:
The idea is to reduce the possible damage an attacker can cause if he happens to obtain a dev's/TU's ssh key. Without a shell and only a few whitelisted commands the box should be very safe. That allows us to use a server stored signing key for the database without having to worry about someone using a kernel exploit and gaining access to the key.
Did we abandon the idea of having packagers download the old DB, check its signature, do changes to it, sign the new DB, and upload it back? Because I would certainly find this much safer and trustworthy than having a black-box server blindly signs anything it is given. And I would also find it too bad to lose the flexibility actual non-root Linux accounts give, such as being able to fix things ourselves when they go wrong (like when pushing to the wrong repo). Cheers. -- Gaetan