[arch-dev-public] [RFC] Moving repos to nymeria
snowmaniscool at gmail.com
Thu Sep 6 13:18:32 EDT 2012
On Thu, Sep 6, 2012 at 12:46 PM, Gaetan Bisson <bisson at archlinux.org> wrote:
> [2012-09-06 17:39:03 +0200] Florian Pritz:
>> The idea is to reduce the possible damage an attacker can cause if he
>> happens to obtain a dev's/TU's ssh key. Without a shell and only a few
>> whitelisted commands the box should be very safe. That allows us to use
>> a server stored signing key for the database without having to worry
>> about someone using a kernel exploit and gaining access to the key.
> Did we abandon the idea of having packagers download the old DB, check
> its signature, do changes to it, sign the new DB, and upload it back?
> Because I would certainly find this much safer and trustworthy than
> having a black-box server blindly signs anything it is given.
> And I would also find it too bad to lose the flexibility actual non-root
> Linux accounts give, such as being able to fix things ourselves when
> they go wrong (like when pushing to the wrong repo).
What will happen to our personal web space? And what about
/srv/ftp/other/ ? Will they move to the new server? If so, we'll need
to whitelist enough commands so we can use them without being a PITA.
Could you give us a more detailed list of the commands that will be
allowed? I'm concerned that the shell would become so crippled that
it would be practically unusable.
More information about the arch-dev-public