[Teammetrics-discuss] Bibref gather, missing package altree (Was: blends.debian.net down ?)
Andreas Tille
andreas at an3as.eu
Mon Apr 23 18:53:02 UTC 2012
Hi Charles,
(full quote to teammetrics list)
On Mon, Apr 23, 2012 at 11:33:31PM +0900, Charles Plessy wrote:
> Le Sun, Apr 22, 2012 at 08:15:59AM +0200, Andreas Tille a écrit :
> >
> > BTW, my GSoC student would be really happy to learn about how to get a
> > dedicated ssh key to alioth. To parse commits in VCSes we currently are
> > using private ssh keys which is very ugly. Could you give some hint /
> > link?
>
> I am using a paswordless key, that is restricted in its capacity of doing
> things. This restriction is a key point, because of course unrestricted
> paswordless keys are completely forbidden.
>
> I got the idea from some posts on Planet Debian (perhaps about ikiwiki) and I
> followed the general guidelines from the SVN documentation.
>
> http://svnbook.red-bean.com/en/1.7/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshtricks
>
> Here is the restriction command, that is added before 'ssh-rsa AAAAB3Nz...' in
> /srv/home/users/plessy/.ssh/authorized_keys on Alioth.
>
> command="/usr/bin/svnserve -t --tunnel-user=plessy",no-port-forwarding,no-pty,no-agent-forwarding,no-X11-forwarding
>
> On blends.d.n, the passwordless private key is in my home directory, and I
> commit in a daily cron job with the following command.
>
> SVN_SSH="ssh -i $HOME/.ssh/alioth-svn-commit_rsa" svn commit $POOL -m 'Daily automatic umegaya push'
>
> In my understanding, an attacker who would steal the private key would be able
> to push stuf to the SVN repositories on Alioth (or exploit a security flaw of
> /usr/bin/svnserve), but is not able to do anything else.
>
> When I mentionned on debian-qa that I planned to use a paswordles restricted
> key, nobody commented, so I assume that there is a common agreement that it is
> secure.
>
> Of course, feel free to forward or quote me in public.
Thanks - doing so hereby to let Sukhbir know.
> But...
>
> Are you sure you need a SSH access to parse commits ? The 'svn diff' command
> works well with the SVN URLs. Try for instance:
>
> svn diff -r 10541:10542 svn://svn.debian.org/debian-med/
We tried to do so but the performance to do this over the network is
pretty slow. The only reasonable way to do this is directly on alioth
where a job prepares a reduced data set. This job also runs > 60min for
an initial fetching of the data - via network it was simply
unacceptable.
Sukhbir, any comments?
Kind regards
Andreas.
--
http://fam-tille.de
More information about the Teammetrics-discuss
mailing list