State of the archive

Zephaniah E. Hull warp at aehallh.com
Sun Apr 30 11:58:15 PDT 2006 

On Sat, Apr 29, 2006 at 05:09:07PM -0700, Donnie Berkholz wrote:
> Daniel Stone wrote:
> >The response was that an X.Org machine would continue to serve
> >ftp.x.org, and that annarchy's archive would be mirrored if it was only
> >writable by a very small group ('xorg-release' was the strawman).  I
> >don't believe that this is terribly useful: if you want to compromise
> >code, it's infinitely easier to insert innocuous-looking rogue code[0]
> >than to tarnish the archive.
> 
> The difference of privilege between who can commit and who can release 
> is absolutely meaningless unless the releaser is personally auditing 
> every commit.
> 
> On a more philosophical note, if you don't trust your committers, there 
> are more serious issues.

I have to agree on both counts, though I should note that at least some
of us try to keep up with all the changes made to our chunks of code,
not so much for security reasons but because that makes it easier to
keep it all in our heads.

That said, anyone with CVS/git write, some skill, and a desire to put
something nasty into our code trees is going to succeed, a restricted
gate on the actual releases makes no sense at all.  Not with the modular
releases as we are doing them, and not with a project as open and as
fluid about releases as we would like to be.

The daemon which takes a gpg signed properly formatted file plus the
release files sounds a great deal like the debian handling of uploaded
files, and I'd be willing to accept something like that, especially if
it would automaticly send stuff to -announce and would get us ftp.x.org
back.

But the real key there is getting us ftp.x.org as something that's
actually useful to the project, because as far as I can tell the machine
in question is actually being more harmful then helpful.

But that's just me, and I'm pretty new to the project.

Zephaniah E. Hull.

-- 
	  1024D/E65A7801 Zephaniah E. Hull <warp at aehallh.com>
	   92ED 94E4 B1E6 3624 226D  5727 4453 008B E65A 7801
	    CCs of replies from mailing lists are requested.

     "First they came for the Jews, and I didn't speak out - because I
was not a jew. Then they came for the Communists, and I did not speak
out - because I was not a Communist. Then they came for the trade
unionists, and I did not speak out - because I was not a trade unionist.
Then they came for me and there was no one left to speak for me!"
  - Pastor Niemoeller - victim of Hitler's Nazis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.x.org/archives/xorg/attachments/20060430/140ad86f/attachment.pgp>

More information about the xorg mailing list