www-jcp-open mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Geir Magnusson Jr." <g...@pobox.com>
Subject Re: Distributing TCK materials ideas....
Date Wed, 21 Apr 2010 01:28:17 GMT

On Apr 20, 2010, at 9:13 PM, Daniel Kulp wrote:

> In the current process, obtaining a new TCK artifact generally involves:
> 1) Request it from Geir
> 2) He downloads it from Sun and sticks it in your home directory
> 3) He sends you an email saying it's there (or worse: sends a note to jcp-open 
> saying its there so the world sees)
> 4) You download it.
> The latest security breaches we had, to me, really shows some dangers of 
> putting materials under NDA in peoples home directories.  One thing I'd like 
> to do is get away from that.  Ideally, to me, we'd even get them off of 
> minotaur entirely.   Mino is definitely the least secure machine we have at 
> Apache and keeping anything there that needs to be held behind a veil of 
> privacy is, IMO, a bad idea and just asking for trouble.  
> Now that we have LDAP in place and all the machines have been updated to 
> FreeBSD 8 which supports virtually unlimitted groups, I would suggest that we 
> use that as a starting point.   Figure out who needs TCK's and get appropriate 
> LDAP groups.    We have some starts of that with jcp-jaxws-nda, jcp-jaxrs-nda, 
> etc...  I'm not sure if that needs to be expanded.   Needs to be investigated.  
> Processing a new NDA would involve adding them to the appropriate LDAP 
> group/groups.  In anycase, create a single area someplace readable by the 
> group where the materials are placed.  (more in a sec)   They are never placed 
> in home dirs.   

Using LDAP is a good idea for efficiency, but a NOOP from a security POV -  people will put
materials in a home directory.

I'm actually not that worried if someone steals a TCK - they aren't licensed to use it and
if they claim they have certified an implementation and aren't a TCK licensee...

> We could start off with a specific area on mino with subdirs per group. I'd be 
> "ok" with that as a starting point as that gets them out of the home dirs so 
> someone would really need to look harder to find them.   However, ideally, 
> we'd get a private svn repo for the materials to be kept and the materials 
> would NEVER be placed on minotaur.  Yes, the materials are gigantic and SVN 
> isn't the "best option" for gigantic tar balls,  but I think it would give us 
> better control and security.  

Key here is making it efficient, and I think what you have is good for that.

> In any case, when new materials are downloaded, they'd get stuck in the 
> appropriate place (svn or on mino) and a simple, "new materials avail" note 
> sent out.  Everyone in the appropriate group that was waiting for it can get 
> it when they are ready.   Doesn't need to be copied to 6 different home dirs, 
> etc...   Thus, it creates less work for the new suckers/volunteers.  :-)
> Thoughts?   Other ideas?   I'd be happy to try and start working with 
> infrastructure to get this setup if we think it's a good idea.

get going!


> -- 
> Daniel Kulp
> dkulp@apache.org
> http://dankulp.com/blog

View raw message