www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dion Gillard <dion.gill...@gmail.com>
Subject Re: File permissions in java-repository
Date Wed, 05 Oct 2005 00:24:47 GMT
Wouldn't it be better to get the POMs changed at the source and
republished by the originating projects?

On 10/5/05, Carlos Sanchez <carlos@apache.org> wrote:
> Somebody?
>
> I'd need asap chgrp everything to apcvs and change masks to 644 to fix
> and improve the poms.
>
> Thanks
>
> On 9/9/05, Brett Porter <brett.porter@gmail.com> wrote:
> > Is this a reasonable action plan?
> >
> > - chgrp all files to apcvs
> > - chmod all files to 644 (ie, not group writeable)
> > - notify PMCs that are deploying to the repo to chgrp to their group to
> > tighten up if desired, and ensure they are deploying with that setting (as
> > well as 644)
> > - monitor for files not 644
> >
> > It is rare to have to change these files, but they are metadata that
> > represent the release and sometimes the metadata was not correct at the time
> > of the release and so needs to be updated. The process I use to do this:
> > - verify md5 matches
> > - change file
> > - recreate md5
> >
> > Note: Maven can deal with md5-only files, bsd-like md5 output and gnu md5
> > output now, so its easiest just to do md5[sum] FILE >FILE.md5
> >
> > Thoughts? If we also agree on this, I think it is definitely time for me to
> > pull together this, and the snapshot purging rules, document it and get it
> > under way. I should have time next week now.
> >
> > Thanks,
> > Brett
> >
> >
> > On 9/9/05, Henk P. Penning <henkp@cs.uu.nl> wrote:
> > > On Wed, 7 Sep 2005, Henk P. Penning wrote:
> > >
> > > > Date: Wed, 7 Sep 2005 08:56:02 +0200 (MEST)
> > > > From: Henk P. Penning <henkp@cs.uu.nl>
> > > > To: repository@apache.org, Carlos Sanchez <carlos@apache.org>
> > > > Subject: Re: File permissions in java-repository
> > >
> > >   ...
> > >
> > > >   The problem with group writable files is that anybody in group
> > > >   'apcvs' (1000 users) can change any group writable file.
> > > >
> > > >   If/when someone changes the content of a file, the file ownership
> > > >   doesn't change, so, after a while, it is unclear who is responsible
> > > >   for the content of repository files.
> > >
> > >   Case in point : see
> > >
> > >     http://people.apache.org/~henkp/checker/md5.html
> > >
> > >   Yesterday three files were replace in the repository :
> > >
> > >
> > java-repository/commons-dbcp/poms/commons-dbcp-1.2.1.pom
> > >     java-repository/commons-el/poms/commons-el-1.0.pom
> > >
> > java-repository/commons-fileupload/poms/commons-fileupload-1.0.pom
> > >
> > >   -- the md5's of the files are INCONSISTENT with
> > >      the existing, corresponding '.md5' files, dated
> > >      Jun 22  2004 (1,3) and Apr 26 18:58 (2)
> > >
> > >   -- the files are group writable and owned by 'bayard:apcvs"
> > >
> > >   -- Who changed these files ? Why ? Who will fix this ?
> > >
> > >   Henk Penning
> > >
> > >
> > ----------------------------------------------------------------
> >   _
> > > Henk P. Penning, Computer Systems Group       R Uithof CGN-A232  _/ \_
> > > Dept of Computer Science, Utrecht University  T +31 30 253 4106 / \_/ \
> > > Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 251 3791 \_/ \_/
> > > http://www.cs.uu.nl/staff/henkp.html          M
> > penning@cs.uu.nl   \_/
> > >
> > >
> >
> >
>


--
http://www.multitask.com.au/people/dion/
"You are going to let the fear of poverty govern your life and your
reward will be that you will eat, but you will not live." - George
Bernard Shaw

Mime
View raw message