[Sugar-devel] [Systems] aslo -> CDN
alsroot at member.fsf.org
Mon Nov 30 14:48:51 EST 2009
On Mon, Nov 30, 2009 at 02:17:20PM -0500, Bernie Innocenti wrote:
> [cc += sugar-devel@]
> On Thu, 2009-11-26 at 08:44 -0600, dfarning at sugarlabs.org wrote:
> > Many people have access to the upload directory.
> We could mitigate this by using separate groups. We already use a soas
> group for soas.
> Besides, do the activity authors still need to upload source tarballs
> here? Couldn't this be done with Remora?
yup, I thought to add such functionality after getting rid of fructose
but it could be implemented anyway
> If not, couldn't we set release tags on Gitorious and download the
> tarballs from cgit? I know release tarballs sometimes contain more files
> than just a git snapshot, but it would work for most activities.
> > My thought is to
> > start moving towards a staging directory layer. Individuals will have
> > assess to specific staging directories. From there, a cron job can
> > sync from staging/ to downloads/ .
> If the script just moves the files over without any additional checking,
> security would remain unchanged.
> One possibility is requiring all files to be gpg signed by the author,
> but this makes things quite complicated: most developers do not seem to
> be familiar with gpg, and we'd still have to come up with some fancy ACL
> system based on the gpg key.
> It would be much easier if Remora could be configured or extended to
> distribute all our source tarballs too.
> // Bernie Innocenti - http://codewiz.org/
> \X/ Sugar Labs - http://sugarlabs.org/
> Sugar-devel mailing list
> Sugar-devel at lists.sugarlabs.org
More information about the Sugar-devel