State of the archive

Egbert Eich eich at suse.de
Sun May 7 04:48:47 PDT 2006


Adam Jackson writes:
 > On Saturday 29 April 2006 15:56, Daniel Stone wrote:
 > 
 > > The response was that an X.Org machine would continue to serve
 > > ftp.x.org, and that annarchy's archive would be mirrored if it was only
 > > writable by a very small group ('xorg-release' was the strawman).  I
 > > don't believe that this is terribly useful: if you want to compromise
 > > code, it's infinitely easier to insert innocuous-looking rogue code[0]
 > > than to tarnish the archive.
 > 
 > And with the minor additional kung-fu of:
 > 
 > # find /srv/xorg.freedesktop.org/archive -type f -mmin +5 | xargs chattr +i
 > 
 > then as long as no one's upload stalls for more than 5 minutes at a time, you 
 > get unrestricted uploads as long as you don't try to clobber an existing 
 > file.

Right.
Additionally we sign the files both with md5 and SHA1 hashes
wich are agained signed by the person doing the package
release.
A compromise of the archives would not remain undetected for
long and one can make sure that any new package that's been
added originates from the person it claims to come from so
everyone can decide for himself wether to trust this person
or not.

 > 
 > Group restrictions are completely bogus.
 > 
 > > It's also a system I believe is thoroughly unnecessary: if we look to
 > > GNOME and Debian as precedents of how to deal with modular development,
 > > no such gateway is imposed.  Ubuntu and Fedora have minor splits (the
 > > designation of 'core' vs. 'non-core' developers), but given the scale of
 > > the numbers involved, I don't think that's applicable.  I have to
 > > profess ignorance on how other projects work, bar KDE, which is
 > > essentially a monolithic project in disguise.
 > 
 > +1.
 > 
 > > My proposal is simple: have an rsync job mirroring
 > > xorg.freedesktop.org::xorg-archive to ftp.x.org.  This would remove the
 > > ugly dichotomy that exists between xorg.freedesktop.org and x.org in
 > > terms of releases.  (You can guess my thoughts on the website also, but
 > > that's another matter entirely ...)
 > 
 > I heartily endorse this event or product.
 > 

The reason why this discussion came up was that people wanted
a tighter security policy on the X.Org servers than what currently
exists on freedesktop. A silly idea considering that we currently
point to freedesktop as the upstream source.

Ch.
	Egbert.



More information about the xorg mailing list