Am 15.09.2012 23:24, schrieb Florian Pritz:
Pierre said that we should support using devtools inside screen (db-move can take quite long) and screen allows to run other commands so limiting the shells doesn't seem possible right now.
It's dbscripts actually. As packages are signed an attacker cannot inject any code. We should isolate svn though. A shell account with limited permissions (no direct write access to the repos or svn) should be secure enough then. Maybe one day we will reimplement the whole process; but this wont be done anytime soon.
Limiting the shell creates a trusted server which makes signing the databases way more secure because even if we use remote signing the hash is calculated on the server.
We do not sign databases anyway atm. And imho we shouldn't do it until it's possible to tell pacman to trust certain keys only for the database. Then the worst case would be a replay attack which we would detect. Using our packager keys to sign something that is calculated on the server is a bad idea. The server cannot be trusted and our setup should be based on that fact. But this might go off-topic. Right now we don't sign databases and we don't have a finished concept for this. So I'd say keep this in mind but let us not limit by this. Back to the actual topic: the community repo should be moved from sigurd as we are running out of disk space. It is also benifitial to have the dev and tu repos on the same server. Therefor an easy solution would be: * have shell accounts for every dev and tu * maybe review our group setup * package files and svn files cannot be accessed by these accounts. Use some sudo and dedicated user magic here so that only dbscripts can write packages and the svn repo can only be access via an svn client. We can ave a more advanced setup later. Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com