lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 13 Sep 2012 09:35:43 -0400
From:	Konstantin Ryabitsev <mricon@...nel.org>
To:	Borislav Petkov <bp@...en8.de>, Leonard Tse <xiehao5@...il.com>,
	ftpadmin@...nel.org, linux-kernel@...r.kernel.org, greg@...ah.com,
	leoli@...escale.com, triplex@...kernel.org, tshibata@...jp.nec.com,
	k-keiichi@...jp.nec.com, minchan.kim@...il.com
Subject: Re: [PATCH]URL is unavailable

On 13/09/12 05:32 AM, Borislav Petkov wrote:
> My memory is hazy on this, but after the move, what's the policy on
> enabling users.kernel.org or userweb.kernel org or some other user web
> serving thing? I vaguely remember that we don't want to do this anymore
> but I'm not sure.

Well, as such system would be the largest security risk, it's
understandable that we're, err... reticent to have it up anywhere near
the rest of the infrastructure. :) We do have ssh enabled on two systems
that require git and release management, but anyone ssh'ing in never
gets a real shell and is severely locked down with SELinux.

> In any case, if we do, it would probably be better to have a whole
> different machine for such stuff and let users upload their stuff again
> without touching the old backups at all...

A better question is -- what is the problem we are trying to solve? We
are not in the business of providing free web hosting -- our aim is to
facilitate kernel development. We already provide a mechanism for git
trees and release tarballs. What is lacking is a simple way to publish
documentation -- it can be currently done with kup, but it's poorly
suited for uploading and managing many small files.

We already have a skeleton implementation of pulling such docs from git
trees (e.g. git docs are published that way). It's on my list of things
to extend this to a more universal and versatile system that would make
it easy for anyone to publish arbitrary documentation via their git
access -- perhaps on a subdomain like docs.kernel.org/treename/[etc]. We
can even require the use of "git tag -s" -- this will give us both
adequate security and history of changes.

I think this would be a better approach than allowing unfettered ssh
access and upload of arbitrary files.

Regards,
-- 
Konstantin Ryabitsev
Systems Administrator
Linux Foundation, kernel.org
Montréal, Québec


Download attachment "signature.asc" of type "application/pgp-signature" (727 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ