[Savannah-users] Re: Replacing FTP queue with SFTP?

[Sylvain Beucler]

Hi,

Here are some answers :)

[Download/upload]

On Thu, Nov 02, 2006 at 03:16:20PM -0800, Andy Tai wrote:
> I think general ftp definitely cannot be replaced by sftp.  That will be
> very inconvenient for the common users and the lack of ftp access will
> become a significant handicap for Savannah as a general free software site
> in the manner of sourceforge.

On Fri, Nov 03, 2006 at 10:47:17AM +0800, address@hidden wrote:
> Some users behind firewall can only get http or ftp access.
> On the other hand, many of them do not know what is 'sftp'.
> I like to upload via SFTP system greatly. I also like use
> SFTP system to download it , but the users do not think so.
> If I have to select one of them as download system, I prefer
> ftp. By the way, is it troublesome to map SFTP service to port 21?

We're talking about the _upload_ method. Downloads are
available through HTTP only at dl.sv.gnu.org/releases/

If you can use CVS or Arch as a developer, you can use SFTP :)


On Fri, Nov 03, 2006 at 04:44:54AM +0100, Andreas K. Foerster wrote:
> What I really would like to have is, that others can download the files
> by anonymous FTP.

We do not plan to support FTP as a download method, because we're
thinking about mirrors and automatic/semi-automatic redirections to
the nearest one. Technically it would be possible to do so with FTP in
'active' mode, but certainly less easily than with a small CGI script
using Geo::IP ;)


On Fri, Nov 03, 2006 at 01:30:42AM +0100, Eric Noulard wrote:
> But could you precise "which SFTP" do you mean:
> A) Secure FTP that is FTP using SSH port 22
> B) Simple FTP which is on port 115
> Ref.: http://en.wikipedia.org/wiki/List_of_well-known_ports_(computing)
> My answer assumes A).

Correct ;)
scp and rsync should work as well.


[Signing]

On Fri, Nov 03, 2006 at 11:48:14AM +0100, Andreas K. Foerster wrote:
> But a side-effect is this: with the anonymous FTP an administrator could
> say to someone "please upload this for me - here is the package and my
> signature" - That will be no longer possible...?

No, indeed, but at the same time nobody will be able to upload old
security-flawed releases or signed mails from you either.


On Fri, Nov 03, 2006 at 10:28:18AM +0100, Paolo Bonzini wrote:
> I think that it's a good move, *but* please keep comprehensive
> instructions on how to GPG-sign the tarballs so that new users keep
> signing them.

Will do :) We still considering signing necessary. It might be
required if we setup mirrors, for example.


[Clarification]

On Fri, Nov 03, 2006 at 02:53:52PM +0200, Eli Zaretskii wrote:
> I'm not sure I understand what would be affected by this change, and
> thus cannot make up my mind about the issue.  Could you perhaps say a
> few words about when the download area is used and for what purposes?

The download area is used to store files at
download.sv.[non]gnu.org/releases/

Currently you post files and signatures at
ftp://address@hidden:/incoming/savannah/project and files are
processed by the FTP queue daemon every 5 minutes - similar to what
runs at ftp-upload.gnu.org.

The alternative is to provide direct sFTP/scp/rsync access to the
project download area. However we don't want to run both systems at at
the same time (see below).

Note that this does not affect ftp.gnu.org, unless we decide to sync
it with Savannah (as is done for the CVS project).


[Transition]

On Thu, Nov 02, 2006 at 05:04:58PM -0700, Wesley J. Landaker wrote:
> Since there are Free Software SFTP clients available for pretty much every
> operating system, it seems like there is no reason to keep supporting FTP
> once SFTP is in place, except perhaps as a transitional measure for people
> who might have e.g. scripts that do their uploading.

I think it would be good to announce the switch, keep both running at
the same time for a month, and close the FTP queue.


[CVS]

On Thu, Nov 02, 2006 at 04:32:18PM -0700, Owen Swerkstrom wrote:
> On a separate note, subversion in addition to or in place of CVS would
> make me (and I'm guessing others) very very happy.  CVS is fine, but
> after being spoiled hacking on some projects hosted in SVN, it can be
> a little painful going back.

We're currently experimenting with git.

There's some work done on SVN to some extent. Check the roadmap:
https://savannah.gnu.org/maintenance/WhenSvN

It would be good to code a working dump import in particular.


[Technical details]

On Fri, Nov 03, 2006 at 04:44:54AM +0100, Andreas K. Foerster wrote:
> see http://download.sv.nongnu.org/releases/akfquiz/
> (By the way, it is also accessible with nongnu replaced with gnu.
> Is that a bug? It is definitely not a GNU package (yet?))

sv.nongnu and sv.gnu are currently hosted by the same machine - but
there's no long-term guarantee.

Meanwhile it would be troublesome to implement directions here, so the
downloads are currently available from both URLs.


On Fri, Nov 03, 2006 at 04:44:54AM +0100, Andreas K. Foerster wrote:
> > It will be troublesome to keep both the old FTP queue
> > system and SFTP at the same time though.
>
> Why? Is there any connection?

Yes: files uploaded via the queue are owned by the queue daemon, as
well as directories created with a queue directive. This can lead to
situations where you cannot use SFTP to remove files uploaded via the
FTP queue.

Furthermore, I would like to avoid keeping the queue daemon running as
a kind of 'downloads super-user' concurrently with SFTP access - it
might be tricked with symlinks to upload files to other projects than
the uploader's. The daemon was checked in this regard, but the general
security model doesn't feel good.


On Fri, Nov 03, 2006 at 01:30:42AM +0100, Eric Noulard wrote:
> Moreover, what is the purpose of the switch?
> Avoid anonymous FTP and replace it with SSH identified
> key just as with the CVS access?

That's it :)

-- 
Sylvain