www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark R. Diggory" <mdigg...@apache.org>
Subject Re: md5's
Date Tue, 05 Oct 2004 18:11:03 GMT
Sigh, yes I did, but it was to allow Dion to take ownership of them, now 
I see he has not.

But, I'm not wholly convinced having what I was suggesting about groups 
taking ownership of their files is now tractable.

But I'm slowly becoming convinced that this cannot be maintained based 
on the current unix groups and historical policies behind the dist 
directory. The unix groups are not fine-grained enough to support 
adequate restriction at that project level. Further restriction, for 
instance "jakarta-commons" or "jakarta-tomcat" is required the group 
"jakarta" can't adequately protect project level ownership/modification 
of these files. In the opposite direction, individual ownership without 
group write capabilities blocks individuals from "removing" releases 
when it is time for them to be excised.

I just do not have the proper permissions to process all these files and 
set them to be owned by the appropriate groups. This is why I started to 
suggest that svn may be a more appropriate location for the 
java-repository, because at least then we can have much greater control 
of these characteristics as well as historical logging of changes if any 
do occur.

-Mark

Henk P. Penning wrote:
> On Tue, 5 Oct 2004, Mark R. Diggory wrote:
> 
> 
>>Date: Tue, 05 Oct 2004 13:04:40 -0400
>>From: Mark R. Diggory <mdiggory@apache.org>
>>To: Henk P. Penning <henkp@cs.uu.nl>
>>Cc: apmirror@apache.org, dion <dion@apache.org>
>>Subject: Re: md5's
>>
>>I just wanted to verify if this was corrected, I saw the jelly files
>>that were not matching yesterday, I went back today to look into fixing
>>these and I believe that Dion made some corrections? Or was it someone else?
> 
> 
>   Not getting a reaction, I waved the problems through, this morning.
>   I mean, the 'problem' was that the files changed, together with the
>   md'5 (The checker notices, because it remembers the original md5's).
>   In my database, I set the 'orig md5' to the 'current md5'.
> 
>   All I was looking for was a message saying: yes, I changed the files.
>   If you didn't change those files, there might be a (security) problem.
>   I should have been clearer.
> 
>   Note that the changed files are (again) group writable, so,
>   some 400 users can change them (everyone in group jakarta).
> 
>   Since our last exchange, I've seen the recomandation,
>   to set the umask to '002' ;
> 
>     http://cvs.apache.org/~bodewig/mirror.html
> 
>   This makes files group writable by default.
>   It seems to be common apache practice.
> 
>   Just curious:
> 
>   -- Did you change the files ?
>   -- Is your umask 002 ?
> 
> Apmirror,
> 
>   Isn't is time to change this 'umask 002' practice ?
>   Even a cronjob like
> 
>     find dist -type d -exec chmod g+w {} \;
> 
>   is to be preferred, I think.
> 
>   As things are now, file ownership means nothing.
> 
>   Regards.
> 
>   Henk Penning
> 
> 
>>-Mark
> 
> 
>>Henk P. Penning wrote:
>>
>>>Hi,
>>>
>>>  ... and another batch. See
>>>
>>>    http://www.apache.org/~henkp/md5/
>>>
>>>  HPP
>>>
>>>----------------------------------------------------------------   _
>>>Henk P. Penning, Computer Systems Group       R Uithof CGN-A232  _/ \_
>>>Dept of Computer Science, Utrecht University  T +31 30 253 4106 / \_/ \
>>>Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 251 3791 \_/ \_/
>>>http://www.cs.uu.nl/staff/henkp.html          M penning@cs.uu.nl  \_/
>>>
>>>---------- Forwarded message ----------
>>>Date: 1 Oct 2004 06:23:18 -0000
>>>From: Cron Daemon <henkp@minotaur.apache.org>
>>>To: henkp@cs.uu.nl
>>>Subject: Cron <henkp@minotaur> ( cd /home/henkp/md5         ; /usr/bin/make
>>>    -s cron )
>>>
>>>*** md5 changed
>>>  java-repository/commons-jelly/jars/commons-jelly-20030902.160215.jar
>>>hist=d1e3117b90f697e6503e4ddf76bc0402 curr=b171e535366191e437cff6d64df33561
>>>*** md5 changed
>>>  java-repository/commons-jelly/jars/commons-jelly-tags-antlr-20030211.143720.jar
>>>hist=94cc61cbdcdfd3b75139d0ce2725138d curr=fe1ae9e40f3fd66031c781e9030b03b9
>>>*** md5 changed
>>>  java-repository/commons-jelly/jars/commons-jelly-tags-define-20030211.142932.jar
>>>hist=8ce6559775be62cfae8df109b2457a9c curr=5cc2cf3c1937887c1573ef1582fb3591
>>>*** md5 changed
>>>  java-repository/commons-jelly/jars/commons-jelly-tags-html-20030317.100924.jar
>>>hist=481b3ef3a7787ba232c4e1c43c32fe90 curr=040346a692601e498f4ea246d073f624
>>>*** md5 changed
>>>  java-repository/commons-jelly/jars/commons-jelly-tags-interaction-20030211.143817.jar
>>>hist=5e4fdc5465c3219b76aea54d7f2d47f3 curr=5450333754b59865bab146caf84c80df
>>>*** md5 changed
>>>  java-repository/commons-jelly/jars/commons-jelly-tags-jsl-20030211.143151.jar
>>>hist=f9d5c4302f9159217456e360217dc8b6 curr=24ea6cfe760c82d0707608fc785bc446
>>>*** md5 changed
>>>  java-repository/commons-jelly/jars/commons-jelly-tags-log-20030211.142821.jar
>>>hist=a8caadca9a8b82e0739e22742533592f curr=ba37d770969889069ad4fdddaf79209a
>>>*** md5 changed
>>>  java-repository/commons-jelly/jars/commons-jelly-tags-swing-20030211.143925.jar
>>>hist=55b0117e87a2e5b022ba9ed81d4008f8 curr=5bfe394074ecf17f48c9091e34044823
>>>*** md5 changed
>>>  java-repository/commons-jelly/jars/commons-jelly-tags-util-20030211.141939.jar
>>>hist=b0ef2b0baf9bcbaf86ea9d1591dfd487 curr=908ff22e0ea4a28f31223d90aef63ae9
>>>*** md5 changed
>>>  java-repository/commons-jelly/jars/commons-jelly-tags-velocity-20030303.205659.jar
>>>hist=dbef14092f3eb76c5079b09bf64ccf9d curr=7f65c8da0fe603ab2c1f61cc6f64d2aa
>>>*** md5 changed
>>>  java-repository/commons-jelly/jars/commons-jelly-tags-xml-20030211.142705.jar
>>>hist=d7d0ff195f88f65f4751a9d1dbcf1c09 curr=e9a5a13b74dc44157a1435bb925d0bf0
>>>*** md5 changed
>>>  java-repository/maven/jars/maven-model-1.1-SNAPSHOT.jar
>>>hist=911bad282cade77c6d535fdf94258af8 curr=574aa9c4f4540ed19089a53a06d3cc00
>>>
>>>
>>
>>--
>>Mark Diggory
>>Open Source Software Developer
>>Apache Jakarta Project
>>http://jakarta.apache.org
>>
> 
> 
> ----------------------------------------------------------------   _
> Henk P. Penning, Computer Systems Group       R Uithof CGN-A232  _/ \_
> Dept of Computer Science, Utrecht University  T +31 30 253 4106 / \_/ \
> Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 251 3791 \_/ \_/
> http://www.cs.uu.nl/staff/henkp.html          M penning@cs.uu.nl  \_/
> 

-- 
Mark Diggory
Open Source Software Developer
Apache Jakarta Project
http://jakarta.apache.org

Mime
View raw message