On Sat, Mar 19, 2022 at 11:03 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote: > > On Sat, Mar 19, 2022 at 10:58:59PM +0100, Fabio Valentini wrote: > > > > Oh, I think I know what's going on. I looked at > > src.fedoraproject.org/user/$user. > > But those group memberships are only synced if the user logs in, AFAIK? > > So ... do these packagers retain provenpackager capabilities in > > dist-git so long as they never log in? :) > > Yeah. Group memberships are refreshed there on login. > > But no one could use that, as if they logged in, it would refresh and > not let them use provenpackager access since they are no longer in the > group. Well, in the GUI, yes, but what about the access controls in git pre-receive hooks? You don't need to log in with the web GUI to do "fedpkg clone; do 'malicious changes'; git commit -m 'spec cleanup'; git push". Fabio _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure