[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers] Re: A request for the website on behalf of the GN
From: |
Bradley M. Kuhn |
Subject: |
Re: [Savannah-hackers] Re: A request for the website on behalf of the GNU project |
Date: |
Sun, 4 Mar 2001 19:58:36 -0500 |
User-agent: |
Mutt/1.2.5i |
> > OK, Lets start with an ftp site mirror, and a website mirror.
> >
> > Do you have a written policy? e.g.:
>
> At: <http://savannah.gnu.org> you will find a few links to different
> kinds of documentation, including webmastering, please check it up.
Also, I would note that much of this is covered in the GNU Maintainers Guide
(http://www.gnu.org/prep/maintain_toc.html).
We should have some more about savannah/subversions in in the Maintainers
Guide soon.
> If you already have an account on the GNU machines, user your kerberos
> password to log in and then change it to something else.
> > -- what should the directory structure be?
>
> WWW:
> CVS:
More about the website and CVS is in the maintainers guide as well.
> > -- how do I get usage/hit/download statistics?
For FTP, we have a system to provide logs. We are going to have to make
some changes due to a problem we just discovered, but it will still be
there.
We can do something similar for websites, too.
> > Policy:
> > -- Do you host precompiled binaries? In the past, FSF has been reticent
> > about doing this.
> I think there will be no problem, but I would prefer somebody to
> re-confirm this.
Now that we have gnuftp with lots of disk space, this is no a problem. You
have to make sure that the source for all binary versions is also available
in the same place.
> > Security issues:
> > -- Should we md5/gpg sign all our soruces and binaies? I beleive we
> > should, but do you have any particular recommendations?
> > (I'm particularly nervous because I don't want to wake up someday
> > and read on slashdot about how some trojan horse in gnucash has been
> > e-mailing credit-card numbers to wherever).
> We have been discussing about this (not only for savannah), but we haven't
> get a solution yet.
We do encourage maintainers to include a GPG, ascii-armored, signed md5sum
for each file. It's not required, but you can certainly do it, and we are
happy if you do.
>
> > -- what's the best (automated?) way I can assure that some hacker hasn't
> > busted into your site & altered the binaries (or source)? Do you
> > have any recommended scripts for rsync+md5 checking?
First, you likely me 'cracker', not hacker.
Do you mean broken into the ftp or website and put trojan horses in the
source/binaries? This can easily be done, if the md5sum and GPG-signed
files are there.
I don't know of a script that can check this, but it's really easy to write
one in a few minutes. The important thing is that the GPG-signed, md5sum
files are there.
I can write a script for you if you need it that badly and don't have time
to write it.
> > > > 2) Surveys. I want to create a user survey ('what new
> > > > features..etc.) I think I finally found some good s/w for that,
> > > > but its sql-backended and I'm paranoid about administering the
> > > > security aspects of that. Thus, if fsf provided that, I might
> > > > actually realy really consider it.
What is the concern about this software? That you don't have time to check
its security? At least one savannah-hacker seems willing to get it
installed, if you want, but I need to be clear what your concerns about
"security aspects" are.
pgphHLB75VOSn.pgp
Description: PGP signature