[Sugar-devel] [Systems] aslo -> CDN

[Aleksey Lim]

On Mon, Nov 30, 2009 at 02:17:20PM -0500, Bernie Innocenti wrote:
> [cc += sugar-devel@]
> 
> On Thu, 2009-11-26 at 08:44 -0600, dfarning at sugarlabs.org wrote:
> > Many people have access to the upload directory.
> 
> We could mitigate this by using separate groups. We already use a soas
> group for soas.
> 
> Besides, do the activity authors still need to upload source tarballs
> here? Couldn't this be done with Remora?

yup, I thought to add such functionality after getting rid of fructose
but it could be implemented anyway

> If not, couldn't we set release tags on Gitorious and download the
> tarballs from cgit? I know release tarballs sometimes contain more files
> than just a git snapshot, but it would work for most activities.
> 
> 
> >  My thought is to
> > start moving towards a staging directory layer.  Individuals will have
> > assess to specific staging directories.  From there, a cron job can
> > sync from staging/ to downloads/ .
> 
> If the script just moves the files over without any additional checking,
> security would remain unchanged.
> 
> One possibility is requiring all files to be gpg signed by the author,
> but this makes things quite complicated: most developers do not seem to
> be familiar with gpg, and we'd still have to come up with some fancy ACL
> system based on the gpg key.
> 
> It would be much easier if Remora could be configured or extended to
> distribute all our source tarballs too.
> 
> -- 
>    // Bernie Innocenti - http://codewiz.org/
>  \X/  Sugar Labs       - http://sugarlabs.org/



> _______________________________________________
> Sugar-devel mailing list
> Sugar-devel at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/sugar-devel


-- 
Aleksey