Toshio Kuratomi (a.badger@xxxxxxxxx) said: > One thing that was mentioned was the lack of fs acls at the moment. > After looking at what we have now, I'm not sure that fs acls fix > anything that's not also broken currently. > > Currently: > > * the cvs repository has no fs acls > * unix group for all directories is set to packager with a sticky group bit. > * the cvs acl script limits who can actually commit to packages to > @provenpackager and the specific people involved. > > Implementation-wise, the proposal would allow the cvs acl script to have > @packager as another allowed group so people who are just in the > packager group can commit to a specific package. > > I can see fs acls being used to lock down our repo against bugs in the > cvs acl script or being used to replace the cvs acl script. But that > seems to be somewhat separate from the proposal. I don't think it would > solve anything specific to the proposal but could make things more > secure for both the current and proposed method. > > notting, do you see something that I don't? You *could* swap the permissions so that all packages are only provenpackager-writable, and implement packager (and owner) access via FS acls. Whether that scales or not is another matter. Bill -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
