1 |
Mike Frysinger wrote: |
2 |
> On Saturday 24 June 2006 18:54, Edward Catmur wrote: |
3 |
>> * Security (from malicious contributors): Glad to see layman will only |
4 |
>> track the reviewed/ tree; still, anyone who checks out the sunrise/ tree |
5 |
>> (and has it in PORTDIR_OVERLAY) is vulnerable. |
6 |
>> |
7 |
>> - Remove from the examples any suggestion that one should check out the |
8 |
>> whole tree when contributing. Point out that one should not svn up |
9 |
>> sunrise/ as part of updating Portage. |
10 |
> |
11 |
> valid point i think |
12 |
|
13 |
The guide has been edited to inform users that they should *not* use the |
14 |
sunrise/ tree for any reason other than committing. Now, in the |
15 |
HowToCommit guide, near the instructions for checking out the sunrise/ |
16 |
tree, it clearly states that you should not set it as your |
17 |
PORTDIR_OVERLAY, but use the reviewed/ instead. |
18 |
|
19 |
> |
20 |
> ive never admined svn repos before, but would it be possible to shut off anon |
21 |
> access to the non-reviewed tree ? i think that would cover this issue as |
22 |
> people who get bit by bugs in the non-reviewed tree would (and should) be |
23 |
> able to just go in and fix it themselves :) |
24 |
|
25 |
As far as I understand, not allowing anonymous users to check out the |
26 |
sunrise/ directory *is* going to be implemented in the future, but you |
27 |
should get a second word from genstef or jokey on that as I'm not |
28 |
completely sure. |
29 |
|
30 |
-- |
31 |
David Shakaryan |
32 |
GnuPG Public Key: 0x4B8FE14B |