savannah-hackers-public
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Re: savannah shell access?

From: Sylvain Beucler
Subject: Re: [Savannah-hackers-public] Re: savannah shell access?
Date: Sat, 6 Jan 2007 15:14:13 +0100
User-agent: Mutt/1.5.13 (2006-08-11) 
On Sat, Jan 06, 2007 at 03:11:19PM +0100, Sylvain Beucler wrote:
> On Sat, Jan 06, 2007 at 02:01:59PM +0100, Jim Meyering wrote:
> > Sylvain Beucler <address@hidden> wrote:
> > ...
> > >> In order to set up a git->cvs mirror, I need to maintain a
> > >> cvs-checked-out copy of the coreutils module (eventually gnulib, too).
> > >> It must be accessible by the git update hook, to be used whenever
> > >> someone does a "git-push" to sv.gnu.org.
> > >>
> > >> For now, I'm using /var/tmp/git-to-cvs, but it's trivial to change.
> > >
> > > I think that depends how your hooks depend on it:
> > >
> > > - if they recreate it as needed, /var/tmp sound good. Maybe /tmp is
> > > better because it's in ramfs
> > >
> > > - if they can't recreate it, maybe we need to place it somewhere that
> > > is backed-up (/var/lib/git/sthing),
> > 
> > It's easy to recreate.  Just check out from cvs.
> > 
> > The hook could theoretically check out a copy of the cvs module for each
> > git push, apply and commit the pushed change sets, and then remove it
> > when done.  However, I've preferred to maintain a clean, checked-out
> > directory in a known location and use that.  Far less overhead.
> > 
> > > - or maybe we need to recreate/repopulate the directories at boot time
> > > (like the cvs locks dirs)
> 
> I agree the working copy should not be created and deleted each time
> for efficiency.
> 
> From a security pov, there's a place where people need to put their
> files so that other projects/hooks cannot alter them. So I think the
> working directories (at least the top-level directory) need to be
> pre-created.
> 
> FHS doesn't garantee that files in /var/tmp so following this view
> this means pre-created dirs need to be placed in /var/lib.
> 
> 
> Thus /var/lib/git/cvs-to-git/ and /var/lib/git/cvs-to-git/projectname
> would need to be created at project creation time.
> 
> 
> Maybe this security is too tight and cumbersome. If there's no risk
> when a project messes another project's working copy or pre-creates it
> with different permissions, then we can use something like /var/lock
> (1777) and let the hook create git-to-cvs/ and git-to-cvs/project on
> the fly when missing. In which case /var/tmp would be a good location.
> 
> 
> That's the 2 solutions I see. Do you think there's a risk with the
> first one? Since this can be a reusable setup, assume users may have
> local access.

Though as you said this is easily changeable and can be better thought
of once the hook is actually running :)

-- 
Sylvain
reply via email to
[Prev in Thread] Current Thread [Next in Thread]