also sprach Sitaram Chamarty <sita...@atc.tcs.com> [2010.02.04.1400 +1300]: > True. However, my concept of a workstation-originated install in > the APT case would be different from that described above. See > below.
Thanks for taking the time to reply to our distro-specific discussion! > > In fact, I think the easy-install script, as nice as it is, should > > not be installed by the Debian package. > > as that script looks now, yes, I agree. > > Easy install conceptually does 2 different things: (1) copy > the actual code to the right places, and then (2) setup the > RC file, create the initial repos (gitolite-admin and > testing), and run the install/compile scripts to setup the > authkeys file. > > It's only #1 that causes the problem you described. #2 does > not; you can have a "setup my gitolite" script that does #2 > for each user who wants to host his own repos using his own > userid. Absolutely. Essentially, this is what I proposed: assuming that #1 is taken care of elsewhere (APT), I tried to enumerate the steps #2 would have to do, since I could not figure out how to make gl-install or gl-easy-install do just those steps. If the two were split up into e.g. gl-install-remote and gl-setup-local (to be run via SSH on the target machine), then yes... there would be no reason to use anything other than gl-setup-local. gl-easy-install would simply combine the two. > When there is an upgrade, the software (what I called #1 above) > would be upgraded by APT, and even workstation originated installs > would use it so that's fine. The issue I am addressing is that Bob might have installed gitolite on his workstation, and used gl-install-remote to push it to Server. The next day, you discover a bug in gitolite, which allows Mallory write-access. You fix it and Alice, who maintains gitolite for Debian, immediately publishes the updated package. The next day, Bob's machine is upgraded and the software fixed, but Bob doesn't actually know about any of this, and thus he does not run gl-install-remote to upgrade his install. Mallory writes bad code into Bob's repository, and the world explodes. If instead gitolite were installed on the server and managed by APT, then Bob would have set up his instance with gl-setup-local, and when Alice's update hit the APT mirror and Server's admin upgraded the machine, Mallory would be locked out. Does this make sense? -- .''`. martin f. krafft <madd...@d.o> Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduck http://vcs-pkg.org `- Debian - when you have better things to do than fixing systems if voting could really change things, it would be illegal. -- revolution books, new york
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
