-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 09/19/2015 05:12 PM, Michael Orlitzky wrote: > On 09/19/2015 05:16 PM, Daniel Campbell wrote: >> >> We'd just need a developer who's experienced in maintaining and >> setting them up. >> > > Has anyone ever set up Gitlab or Gerrit, managed by a package > manager, in a way that a small bug won't grant anonymous write > access to every single repository? > > Web projects tend to assume that they're the only application/user > on the server. And as far as security is concerned, that the server > is in a locked closet with no internet connection. Most of them > crash when you try to fix those assumptions. > > Github fails the second criterion[1], but it's not pointed directly > at our repositories. A developer still has to review and push each > commit, so the risk is mitigated. > > The infra team has high standards when it comes to this stuff, and > to fix it would require more than just a weekend of > experimentation. > > > [1] http://homakov.blogspot.com/2012/03/how-to.html > That's completely reasonable. I'm not advocating for any specific solution; infra knows the systems and it'd be up to them to choose a good solution. This makes me wonder now though, if the reason we settled on GitHub was because the others weren't good and/or secure enough. Personally I'm find with e-mails and cgit like we currently have, but I assume the goal of GitHub was to encourage more community involvement and make contributing easier. Still, were something to happen to GitHub we'd lose that ability and go back to standard overlays, e-mail, etc.
- -- Daniel Campbell - Gentoo Developer OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net fpr: AE03 9064 AE00 053C 270C 1DE4 6F7A 9091 1EA0 55D6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJV/g3BAAoJEAEkDpRQOeFwPoIQAI76TxONizirRc6bF58n+kKE Xxvlh/tl1lhFmJiyGLuy1HILEIbeeWX+8U9PFGWzYkh30Ie+7rc/L7Ya4jx3JrvE 3Iu6nHrRCArPNeTMYiNqiCrGVqhQ8qW/27AaalUNstrBXwK0RGKjB5DBYrNDKGl9 6UD5N3JFXo6xHQULuVRY8IjI+2FOR+d/Yww/L22SFfkdVjxHuXGkwk9QP1ZEYwXZ eRx7Nb9RcJppcsSRtfeYI8Po4mRUZTRekMk36iOt35PC/eaw6wQePdC3pb0KJKaG lmSb6XMlvooEsipzTsycA1AwOPgou9Vtsj7G6O5Jxj9n3rCROygIFCSYVujlWXeQ mcZgZoxQpEo3oNTwKcz7XnY15d8IY/5Zd5rZ5LU6aHfknztJxlHsbDMTubJVM3nB IFRQ5q8McHfTXHNy6A91FL4eKN1IPLF0naRCN/7ipa94GeTIb2Xe8GyQ9wGG42Oi NCGSmjnc9GQP2F5X/qgqPLH4+8GPg6PXJNXl1gmkma20NdOS3ivBFX2pD6FFj8A3 Ju4fLKgFE+tD8Wv2+tnbo6oysd3zOODREi1fy/q/Ypik5wIxx1KKdntq1eFgvP6m VZOi+AOjhygM9TM8PjmBkmQ0HAUn2W3irqWpMUCiupaEwyyyZHA0iKzKHEVOhhut qHiucPnDyt+53WNkmzMN =cCuf -----END PGP SIGNATURE-----
