Joerg Jaspert | 18 Jan 23:04 2009
Picon

Meeting agenda bot, website, git, ssh

Hi,

we now have a git service up and running, in which we can put the data
for our new website and also the to-be-written Meeting agenda bot.

A webview is behind http://git.spi-inc.org/cgi-bin/gitweb.cgi and that
also shows you the git checkout urls for the anonymous clone, basically
the usual simple git://git.spi-inc.org/$project.git

Those that need write access (Hello Ian, MJ, Jimmy) should send me a ssh
key they want to use for it. Clone from git <at> git.spi-inc.org:$project.git

--

-- 
bye, Joerg
Some NM:
main contains software that compiles with DFSG.
[hehehe, nice typo]
Of course, eye mean "complies", knot "compiles".  Sum typos cant bee
caught bye spelling checkers.
_______________________________________________
Spi-general mailing list
Spi-general <at> lists.spi-inc.org
http://lists.spi-inc.org/listinfo/spi-general
Ian Jackson | 19 Jan 11:44 2009
Picon

Re: Meeting agenda bot, website, git, ssh

Joerg Jaspert writes ("Meeting agenda bot, website, git, ssh"):
> we now have a git service up and running, in which we can put the data
> for our new website and also the to-be-written Meeting agenda bot.
> 
> A webview is behind http://git.spi-inc.org/cgi-bin/gitweb.cgi and that
> also shows you the git checkout urls for the anonymous clone, basically
> the usual simple git://git.spi-inc.org/$project.git

Great.

> Those that need write access (Hello Ian, MJ, Jimmy) should send me a ssh
> key they want to use for it. Clone from git <at> git.spi-inc.org:$project.git

Willdo.

Is there one single access control setup for the whole thing, or are
there several ?  It would be nice to be able to let people edit the
website without giving them the power to run code on the server, for
example.

Ian.
Joerg Jaspert | 20 Jan 00:20 2009
Picon

Re: Meeting agenda bot, website, git, ssh


>> Those that need write access (Hello Ian, MJ, Jimmy) should send me a ssh
>> key they want to use for it. Clone from git <at> git.spi-inc.org:$project.git
> Willdo.

> Is there one single access control setup for the whole thing, or are
> there several ?  It would be nice to be able to let people edit the
> website without giving them the power to run code on the server, for
> example.

Noone gets access to the server directly. :)

(Well, in case someone needs access to a server, we can certainly
 arrange things. But thats completly seperate from git access)

--

-- 
bye, Joerg
Von einem Besucher auf dem LT:

Die 3 Microsoft-Leute auf Ihrem Stand müssen sich vorkommen wie 3
Mönche im Puff.
Wichert Akkerman | 20 Jan 09:55 2009
Picon

Re: Meeting agenda bot, website, git, ssh

Previously Joerg Jaspert wrote:
> >> Those that need write access (Hello Ian, MJ, Jimmy) should send me a ssh
> >> key they want to use for it. Clone from git <at> git.spi-inc.org:$project.git
> > Willdo.
> 
> > Is there one single access control setup for the whole thing, or are
> > there several ?  It would be nice to be able to let people edit the
> > website without giving them the power to run code on the server, for
> > example.
> 
> Noone gets access to the server directly. :)

Did you install the gitweb security fix? :)

Wichert.

--

-- 
Wichert Akkerman <wichert <at> wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.
Ian Jackson | 20 Jan 12:22 2009
Picon

Re: Meeting agenda bot, website, git, ssh

Joerg Jaspert writes ("Re: Meeting agenda bot, website, git, ssh"):
> [Ian Jackson:]
> > Is there one single access control setup for the whole thing, or are
> > there several ?  It would be nice to be able to let people edit the
> > website without giving them the power to run code on the server, for
> > example.
> 
> Noone gets access to the server directly. :)
> 
> (Well, in case someone needs access to a server, we can certainly
>  arrange things. But thats completly seperate from git access)

If the code for something running on the server is kept in git then
effectively everyone who can write to the git can run code on the
server, because even if pushing to the running copy is manual no-one
will review every diff.

Ian.
Joerg Jaspert | 21 Jan 10:06 2009
Picon

Re: Meeting agenda bot, website, git, ssh


>> > Is there one single access control setup for the whole thing, or are
>> > there several ?  It would be nice to be able to let people edit the
>> > website without giving them the power to run code on the server, for
>> > example.
>> Noone gets access to the server directly. :)
>> (Well, in case someone needs access to a server, we can certainly
>>  arrange things. But thats completly seperate from git access)
> If the code for something running on the server is kept in git then
> effectively everyone who can write to the git can run code on the
> server, because even if pushing to the running copy is manual no-one
> will review every diff.

Are we up to splitting hairs now? :)
So, for that:

Noone except us admins has shell access to the box the git repo is on.
Yes, of course, if you can commit stuff you can commit bad things too.
Somehow thats (technically) not avoidable. Unless you want one of us
admins play gatekeeper, and *I* sure not want to add such a
restriction.

--

-- 
bye, Joerg
[Kaffeemaschinen und Babies]
Funktioniert aber so ähnlich: Du füllst oben was rein und unten kommt's braun raus...
   -- Martin Würtele
Ian Jackson | 21 Jan 11:27 2009
Picon

Re: Meeting agenda bot, website, git, ssh

Joerg Jaspert writes ("Re: Meeting agenda bot, website, git, ssh"):
> [Ian:]
> > If the code for something running on the server is kept in git then
> > effectively everyone who can write to the git can run code on the
> > server, because even if pushing to the running copy is manual no-one
> > will review every diff.
> 
> Are we up to splitting hairs now? :)

This was the motivation for my original question, so not
hair-splitting at all.

> Yes, of course, if you can commit stuff you can commit bad things too.
> Somehow thats (technically) not avoidable. Unless you want one of us
> admins play gatekeeper, and *I* sure not want to add such a
> restriction.

One obvious approach is to have differently-access-controlled git
repositories only some of which are able to take over the machine.

For example, people who need to edit web pages do not need to be able
to run code on the server.  I assume (perhaps over-optimistically)
that whatever CMS(s) we are using do not permit the author of the page
data to execute code on the server.

Ian.
Jimmy Kaplowitz | 21 Jan 23:39 2009

Re: SPI Board Meeting Announcement: Wednesday, December 17th, 2008

On Wed, Jan 21, 2009 at 11:44:59AM -0500, Jimmy Kaplowitz wrote:
> Software in the Public Interest, Inc., will hold a public board of directors
> meeting today, on Wednesday, January 21st, 2009, at 20:00 UTC. I apologize for
> the extremely late notice, due to illness on my part.

As you may have noticed, this announcement arrived after the meeting. I sent it
at roughly 16:45 UTC, as the above timestamp shows, much later than I would
have sent it if I were healthy but nevertheless before the meeting.
Unfortunately, Murphy's Law struck and SPI's mailing list server was down for
several hours today, preventing the timely dissemination of the announcement.
SPI server administrator and VP Joerg Jaspert assures me that he's working on a
long-term fix. Thanks to him for that, and I apologize for the lack of any
advance notice. Some old minutes were approved, and the February meeting was
moved sooner by one week (Feb 11 20:00 UTC), but all other actions were
deferred, including the vote on the resolution mentioned in the announcement.

- Jimmy Kaplowitz, SPI Secretary
secretary <at> spi-inc.org
MJ Ray | 24 Jan 21:05 2009

Meeting log for 2009-01-21

A few days later than usual because I've been having "fun" travelling.
Details appeared on identi.ca/mjray and may appear on my website soon.
Nothing SPI-related, really.  Now, on with the log:-

HIGHLIGHTS

[item 1, Opening]
<Ganneff> Welcome to today's Software in the Public Interest board of
directors meeting, which is now called to order. Today's agenda and
details of pending resolutions can be found on the web at:
http://www.spi-inc.org/secretary/agenda/2009/2009-01-21.html

[item 2, Roll Call]

<Maulkin> Neil McGovern     <Ganneff> Joerg Jaspert
<cdlu> David Graham         <Hydroxide> Jimmy Kaplowitz
<linuxpoet> Joshua D. Drake <zobel> Martin Zobel-Helas
<luk> Luk Claes

Known regrets from Michael Schultheiss.
Tentative regrets from Bdale Garbee.

[item 3, President's Report]
<Ganneff> None

[item 4, Treasurer's Report]
<Ganneff> schultmc - not here, so nothing

[item 5, Secretary's report]
<Hydroxide> I put a secretary's report in the agenda with various
(Continue reading)


Gmane