[arch-dev-public] [RFC] Moving repos to nymeria
Florian Pritz
bluewind at xinu.at
Thu Sep 6 11:39:03 EDT 2012
On 06.09.2012 17:23, Stéphane Gaudreault wrote:
> Could we run sogrep on nymeria ?
I don't really see a benefit there. You can already run it on brynhild
and sogrep needs a databases which is updated via a cron job so you
probably won't even see a difference in update latency between the two.
> Also, could you please explain why browsing the repo in a shell account
> will be disabled ? I found this very useful when moving a large number
> of packages from staging/testing to extra/core.
The idea is to reduce the possible damage an attacker can cause if he
happens to obtain a dev's/TU's ssh key. Without a shell and only a few
whitelisted commands the box should be very safe. That allows us to use
a server stored signing key for the database without having to worry
about someone using a kernel exploit and gaining access to the key.
sftp will still be available so if all you want is a file list you can
use that. You can also run "sudo syncrepo" on brynhild to force a sync
at any time and then browse there.
--
Florian Pritz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20120906/516add88/attachment.asc>
More information about the arch-dev-public
mailing list