| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA256 |
| 3 |
|
| 4 |
On 09/19/2015 05:12 PM, Michael Orlitzky wrote: |
| 5 |
> On 09/19/2015 05:16 PM, Daniel Campbell wrote: |
| 6 |
>> |
| 7 |
>> We'd just need a developer who's experienced in maintaining and |
| 8 |
>> setting them up. |
| 9 |
>> |
| 10 |
> |
| 11 |
> Has anyone ever set up Gitlab or Gerrit, managed by a package |
| 12 |
> manager, in a way that a small bug won't grant anonymous write |
| 13 |
> access to every single repository? |
| 14 |
> |
| 15 |
> Web projects tend to assume that they're the only application/user |
| 16 |
> on the server. And as far as security is concerned, that the server |
| 17 |
> is in a locked closet with no internet connection. Most of them |
| 18 |
> crash when you try to fix those assumptions. |
| 19 |
> |
| 20 |
> Github fails the second criterion[1], but it's not pointed directly |
| 21 |
> at our repositories. A developer still has to review and push each |
| 22 |
> commit, so the risk is mitigated. |
| 23 |
> |
| 24 |
> The infra team has high standards when it comes to this stuff, and |
| 25 |
> to fix it would require more than just a weekend of |
| 26 |
> experimentation. |
| 27 |
> |
| 28 |
> |
| 29 |
> [1] http://homakov.blogspot.com/2012/03/how-to.html |
| 30 |
> |
| 31 |
That's completely reasonable. I'm not advocating for any specific |
| 32 |
solution; infra knows the systems and it'd be up to them to choose a |
| 33 |
good solution. This makes me wonder now though, if the reason we |
| 34 |
settled on GitHub was because the others weren't good and/or secure |
| 35 |
enough. Personally I'm find with e-mails and cgit like we currently |
| 36 |
have, but I assume the goal of GitHub was to encourage more community |
| 37 |
involvement and make contributing easier. Still, were something to |
| 38 |
happen to GitHub we'd lose that ability and go back to standard |
| 39 |
overlays, e-mail, etc. |
| 40 |
|
| 41 |
- -- |
| 42 |
Daniel Campbell - Gentoo Developer |
| 43 |
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net |
| 44 |
fpr: AE03 9064 AE00 053C 270C 1DE4 6F7A 9091 1EA0 55D6 |
| 45 |
-----BEGIN PGP SIGNATURE----- |
| 46 |
Version: GnuPG v2 |
| 47 |
|
| 48 |
iQIcBAEBCAAGBQJV/g3BAAoJEAEkDpRQOeFwPoIQAI76TxONizirRc6bF58n+kKE |
| 49 |
Xxvlh/tl1lhFmJiyGLuy1HILEIbeeWX+8U9PFGWzYkh30Ie+7rc/L7Ya4jx3JrvE |
| 50 |
3Iu6nHrRCArPNeTMYiNqiCrGVqhQ8qW/27AaalUNstrBXwK0RGKjB5DBYrNDKGl9 |
| 51 |
6UD5N3JFXo6xHQULuVRY8IjI+2FOR+d/Yww/L22SFfkdVjxHuXGkwk9QP1ZEYwXZ |
| 52 |
eRx7Nb9RcJppcsSRtfeYI8Po4mRUZTRekMk36iOt35PC/eaw6wQePdC3pb0KJKaG |
| 53 |
lmSb6XMlvooEsipzTsycA1AwOPgou9Vtsj7G6O5Jxj9n3rCROygIFCSYVujlWXeQ |
| 54 |
mcZgZoxQpEo3oNTwKcz7XnY15d8IY/5Zd5rZ5LU6aHfknztJxlHsbDMTubJVM3nB |
| 55 |
IFRQ5q8McHfTXHNy6A91FL4eKN1IPLF0naRCN/7ipa94GeTIb2Xe8GyQ9wGG42Oi |
| 56 |
NCGSmjnc9GQP2F5X/qgqPLH4+8GPg6PXJNXl1gmkma20NdOS3ivBFX2pD6FFj8A3 |
| 57 |
Ju4fLKgFE+tD8Wv2+tnbo6oysd3zOODREi1fy/q/Ypik5wIxx1KKdntq1eFgvP6m |
| 58 |
VZOi+AOjhygM9TM8PjmBkmQ0HAUn2W3irqWpMUCiupaEwyyyZHA0iKzKHEVOhhut |
| 59 |
qHiucPnDyt+53WNkmzMN |
| 60 |
=cCuf |
| 61 |
-----END PGP SIGNATURE----- |
Archives