www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlos Sanchez <car...@apache.org>
Subject Re: File permissions in java-repository
Date Tue, 04 Oct 2005 23:05:39 GMT
Somebody?

I'd need asap chgrp everything to apcvs and change masks to 644 to fix
and improve the poms.

Thanks

On 9/9/05, Brett Porter <brett.porter@gmail.com> wrote:
> Is this a reasonable action plan?
>
> - chgrp all files to apcvs
> - chmod all files to 644 (ie, not group writeable)
> - notify PMCs that are deploying to the repo to chgrp to their group to
> tighten up if desired, and ensure they are deploying with that setting (as
> well as 644)
> - monitor for files not 644
>
> It is rare to have to change these files, but they are metadata that
> represent the release and sometimes the metadata was not correct at the time
> of the release and so needs to be updated. The process I use to do this:
> - verify md5 matches
> - change file
> - recreate md5
>
> Note: Maven can deal with md5-only files, bsd-like md5 output and gnu md5
> output now, so its easiest just to do md5[sum] FILE >FILE.md5
>
> Thoughts? If we also agree on this, I think it is definitely time for me to
> pull together this, and the snapshot purging rules, document it and get it
> under way. I should have time next week now.
>
> Thanks,
> Brett
>
>
> On 9/9/05, Henk P. Penning <henkp@cs.uu.nl> wrote:
> > On Wed, 7 Sep 2005, Henk P. Penning wrote:
> >
> > > Date: Wed, 7 Sep 2005 08:56:02 +0200 (MEST)
> > > From: Henk P. Penning <henkp@cs.uu.nl>
> > > To: repository@apache.org, Carlos Sanchez <carlos@apache.org>
> > > Subject: Re: File permissions in java-repository
> >
> >   ...
> >
> > >   The problem with group writable files is that anybody in group
> > >   'apcvs' (1000 users) can change any group writable file.
> > >
> > >   If/when someone changes the content of a file, the file ownership
> > >   doesn't change, so, after a while, it is unclear who is responsible
> > >   for the content of repository files.
> >
> >   Case in point : see
> >
> >     http://people.apache.org/~henkp/checker/md5.html
> >
> >   Yesterday three files were replace in the repository :
> >
> >
> java-repository/commons-dbcp/poms/commons-dbcp-1.2.1.pom
> >     java-repository/commons-el/poms/commons-el-1.0.pom
> >
> java-repository/commons-fileupload/poms/commons-fileupload-1.0.pom
> >
> >   -- the md5's of the files are INCONSISTENT with
> >      the existing, corresponding '.md5' files, dated
> >      Jun 22  2004 (1,3) and Apr 26 18:58 (2)
> >
> >   -- the files are group writable and owned by 'bayard:apcvs"
> >
> >   -- Who changed these files ? Why ? Who will fix this ?
> >
> >   Henk Penning
> >
> >
> ----------------------------------------------------------------
>   _
> > Henk P. Penning, Computer Systems Group       R Uithof CGN-A232  _/ \_
> > Dept of Computer Science, Utrecht University  T +31 30 253 4106 / \_/ \
> > Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 251 3791 \_/ \_/
> > http://www.cs.uu.nl/staff/henkp.html          M
> penning@cs.uu.nl   \_/
> >
> >
>
>

Mime
View raw message