[arch-dev-public] [RFC] Moving repos to nymeria

[Pierre Schmitz]

Am 15.09.2012 23:24, schrieb Florian Pritz:
> Pierre said that we should support using devtools inside screen (db-move
> can take quite long) and screen allows to run other commands so limiting
> the shells doesn't seem possible right now.

It's dbscripts actually. As packages are signed an attacker cannot
inject any code. We should isolate svn though. A shell account with
limited permissions (no direct write access to the repos or svn) should
be secure enough then.

Maybe one day we will reimplement the whole process; but this wont be
done anytime soon.

> Limiting the shell creates a trusted server which makes signing the
> databases way more secure because even if we use remote signing the hash
> is calculated on the server.

We do not sign databases anyway atm. And imho we shouldn't do it until
it's possible to tell pacman to trust certain keys only for the
database. Then the worst case would be a replay attack which we would
detect. Using our packager keys to sign something that is calculated on
the server is a bad idea. The server cannot be trusted and our setup
should be based on that fact.

But this might go off-topic. Right now we don't sign databases and we
don't have a finished concept for this. So I'd say keep this in mind but
let us not limit by this.

Back to the actual topic: the community repo should be moved from
sigurd as we are running out of disk space. It is also benifitial to
have the dev and tu repos on the same server. Therefor an easy solution
would be:

* have shell accounts for every dev and tu
* maybe review our group setup
* package files and svn files cannot be accessed by these accounts. Use
some sudo and dedicated user magic here so that only dbscripts can write
packages and the svn repo can only be access via an svn client.

We can ave a more advanced setup later.

Greetings,

Pierre

-- 
Pierre Schmitz, https://pierre-schmitz.com