www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlos Sanchez <car...@apache.org>
Subject Re: File permissions in java-repository
Date Wed, 05 Oct 2005 17:50:30 GMT
That'd be the ideal solution, but also a bottleneck.
What we can do is change the poms in apache or ibiblio and open an
issue in the project with something like "the pom was improved please
update it from http://... ". Will take a lot more time, but we can try
that. Of course only for minimal changes like formats, removing
deprecations, ... not for changing the actual data.
For projects not building with maven it wouldn't be needed.

What do you think about this?

On 10/4/05, Dion Gillard <dion.gillard@gmail.com> wrote:
> Wouldn't it be better to get the POMs changed at the source and
> republished by the originating projects?
>
> On 10/5/05, Carlos Sanchez <carlos@apache.org> wrote:
> > Somebody?
> >
> > I'd need asap chgrp everything to apcvs and change masks to 644 to fix
> > and improve the poms.
> >
> > Thanks
> >
> > On 9/9/05, Brett Porter <brett.porter@gmail.com> wrote:
> > > Is this a reasonable action plan?
> > >
> > > - chgrp all files to apcvs
> > > - chmod all files to 644 (ie, not group writeable)
> > > - notify PMCs that are deploying to the repo to chgrp to their group to
> > > tighten up if desired, and ensure they are deploying with that setting (as
> > > well as 644)
> > > - monitor for files not 644
> > >
> > > It is rare to have to change these files, but they are metadata that
> > > represent the release and sometimes the metadata was not correct at the time
> > > of the release and so needs to be updated. The process I use to do this:
> > > - verify md5 matches
> > > - change file
> > > - recreate md5
> > >
> > > Note: Maven can deal with md5-only files, bsd-like md5 output and gnu md5
> > > output now, so its easiest just to do md5[sum] FILE >FILE.md5
> > >
> > > Thoughts? If we also agree on this, I think it is definitely time for me to
> > > pull together this, and the snapshot purging rules, document it and get it
> > > under way. I should have time next week now.
> > >
> > > Thanks,
> > > Brett
> > >
> > >
> > > On 9/9/05, Henk P. Penning <henkp@cs.uu.nl> wrote:
> > > > On Wed, 7 Sep 2005, Henk P. Penning wrote:
> > > >
> > > > > Date: Wed, 7 Sep 2005 08:56:02 +0200 (MEST)
> > > > > From: Henk P. Penning <henkp@cs.uu.nl>
> > > > > To: repository@apache.org, Carlos Sanchez <carlos@apache.org>
> > > > > Subject: Re: File permissions in java-repository
> > > >
> > > >   ...
> > > >
> > > > >   The problem with group writable files is that anybody in group
> > > > >   'apcvs' (1000 users) can change any group writable file.
> > > > >
> > > > >   If/when someone changes the content of a file, the file ownership
> > > > >   doesn't change, so, after a while, it is unclear who is responsible
> > > > >   for the content of repository files.
> > > >
> > > >   Case in point : see
> > > >
> > > >     http://people.apache.org/~henkp/checker/md5.html
> > > >
> > > >   Yesterday three files were replace in the repository :
> > > >
> > > >
> > > java-repository/commons-dbcp/poms/commons-dbcp-1.2.1.pom
> > > >     java-repository/commons-el/poms/commons-el-1.0.pom
> > > >
> > > java-repository/commons-fileupload/poms/commons-fileupload-1.0.pom
> > > >
> > > >   -- the md5's of the files are INCONSISTENT with
> > > >      the existing, corresponding '.md5' files, dated
> > > >      Jun 22  2004 (1,3) and Apr 26 18:58 (2)
> > > >
> > > >   -- the files are group writable and owned by 'bayard:apcvs"
> > > >
> > > >   -- Who changed these files ? Why ? Who will fix this ?
> > > >
> > > >   Henk Penning
> > > >
> > > >
> > > ----------------------------------------------------------------
> > >   _
> > > > Henk P. Penning, Computer Systems Group       R Uithof CGN-A232  _/ \_
> > > > Dept of Computer Science, Utrecht University  T +31 30 253 4106 / \_/
\
> > > > Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 251 3791 \_/ \_/
> > > > http://www.cs.uu.nl/staff/henkp.html          M
> > > penning@cs.uu.nl   \_/
> > > >
> > > >
> > >
> > >
> >
>
>
> --
> http://www.multitask.com.au/people/dion/
> "You are going to let the fear of poverty govern your life and your
> reward will be that you will eat, but you will not live." - George
> Bernard Shaw
>

Mime
View raw message