Follow-up Comment #21, sr #107077 (project administration): On Wed, 2009-12-02 at 23:47 +0000, Sylvain Beucler wrote: Follow-up Comment #20, sr #107077 (project administration): > > "bzr does not permit configuring server side hooks in the repository because > of security concerns" > > But every VCS I know allow this (?). > > For example: do you intend, at a point, to implement centralised mail > notification on commit? (which is the first thing people ask here) > Currently this relies on an expansive, per-repository scanning every 5 > minutes through bzr-hookless-email, which isn't scalable.
The sysadmins *globally* install the bzr-email plugin, and then in branch.conf enable it for that branch. Users with write access can: - disable it - enable it - configure it but thats all. For a highly secure environment like savannah, I'd be happy to provide an even less configurable bzr-email than normal, which users cannot configure at all beyond choosing to have commits sent or not. > I expect bzr+ssh to eventually work as a restricted shell that > will also > execute repository hooks, and these hooks should be stored in a > root-restricted directory (like CVS/SVN/Git/Hg). > (in which case sftp access would be closed to make sure hooks are executed) We don't have repository hooks (though there is a plugin that enables them). Rather we have plugins, and some plugins look in the repository for configuration. This separation allows sysadmins to select what code may run on the server (install/remove plugins), and users to enable/disable the installed plugins (where those plugins permit being enabled/disabled). Closing sftp to ensure the bzr+ssh server is used is a good idea. > If you never intend to allow server-side hooks at the repository (!=user) > level, I guess I can enable bzr+ssh (provided we make sure that homedirs will > stay read-only), but this sounds strange. > Currently I'd expect bzr+ssh to eventually run repository hooks. We have equivalent functionality, but its structured to be safe for users. We have previously discussed having in-branch arbitrary commands and decided against it because its not secure. 'bzr info' of an AFS mounted branch shouldn't be able to rm -rf your homedir (which is a simple example of an attack using the style of hooks some other systems use). -Rob _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/support/?107077> _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/