www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Porter <brett.por...@gmail.com>
Subject Re: File permissions in java-repository
Date Fri, 09 Sep 2005 07:24:14 GMT
Is this a reasonable action plan?

- chgrp all files to apcvs
- chmod all files to 644 (ie, not group writeable)
- notify PMCs that are deploying to the repo to chgrp to their group to 
tighten up if desired, and ensure they are deploying with that setting (as 
well as 644)
- monitor for files not 644

It is rare to have to change these files, but they are metadata that 
represent the release and sometimes the metadata was not correct at the time 
of the release and so needs to be updated. The process I use to do this:
- verify md5 matches
- change file
- recreate md5

Note: Maven can deal with md5-only files, bsd-like md5 output and gnu md5 
output now, so its easiest just to do md5[sum] FILE >FILE.md5

Thoughts? If we also agree on this, I think it is definitely time for me to 
pull together this, and the snapshot purging rules, document it and get it 
under way. I should have time next week now.

Thanks,
Brett

On 9/9/05, Henk P. Penning <henkp@cs.uu.nl> wrote:
> 
> On Wed, 7 Sep 2005, Henk P. Penning wrote:
> 
> > Date: Wed, 7 Sep 2005 08:56:02 +0200 (MEST)
> > From: Henk P. Penning <henkp@cs.uu.nl>
> > To: repository@apache.org, Carlos Sanchez <carlos@apache.org>
> > Subject: Re: File permissions in java-repository
> 
> ...
> 
> > The problem with group writable files is that anybody in group
> > 'apcvs' (1000 users) can change any group writable file.
> >
> > If/when someone changes the content of a file, the file ownership
> > doesn't change, so, after a while, it is unclear who is responsible
> > for the content of repository files.
> 
> Case in point : see
> 
> http://people.apache.org/~henkp/checker/md5.html
> 
> Yesterday three files were replace in the repository :
> 
> java-repository/commons-dbcp/poms/commons-dbcp-1.2.1.pom
> java-repository/commons-el/poms/commons-el-1.0.pom
> java-repository/commons-fileupload/poms/commons-fileupload-1.0.pom
> 
> -- the md5's of the files are INCONSISTENT with
> the existing, corresponding '.md5' files, dated
> Jun 22 2004 (1,3) and Apr 26 18:58 (2)
> 
> -- the files are group writable and owned by 'bayard:apcvs"
> 
> -- Who changed these files ? Why ? Who will fix this ?
> 
> Henk Penning
> 
> ---------------------------------------------------------------- _
> Henk P. Penning, Computer Systems Group R Uithof CGN-A232 _/ \_
> Dept of Computer Science, Utrecht University T +31 30 253 4106 / \_/ \
> Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 251 3791 \_/ \_/
> http://www.cs.uu.nl/staff/henkp.html M penning@cs.uu.nl \_/
> 
>

Mime
View raw message