[repoman] transport mechanism

[Paul Mattal]

Jason Chu wrote:
> On Mon, Jul 09, 2007 at 12:20:58PM -0400, Paul Mattal wrote:
>> Jason Chu wrote:
>>> But ssh can be run on multiple ports... even with a custom client/server
>>> you'd probably still run it on multiple ports for multiple instances.
>> Yes, but then do you set up a separate user system? I don't want 
>> everyone authenticating off one password file.
> 
> I was thinking it'd be different chroots per instance.  That way it is
> different password files (repo.or.cz uses just ssh-keys, which I think
> works pretty well).

I'm slowly coming around. Given the signature method of validating
packages, I actually don't care who uploads them, as long as it's
someone we basically trust (who won't DoS us). In that case, we can have
one chroot jailed SSH and one set of accounts (and/or keys) for
uploaders. The db would be responsible for having the signature for each
package in advance and so could guarantee they're authentic.

The remaining piece is that an upload needs also to trigger an action. I
suppose this could be done by an "upload monitor" watching a directory
and handling files as they appear there. This is probably safest because
the monitor can live outside the chroot jail, guaranteeing the uploaders
cannot manipulate or examine any aspect of the monitor.

Yes, I think I'm sold. Additional advantage is that if you're running a
local system, you just point your monitor at some directory and it's up
to users to just move their packages in there. So it works for people
with a lightweight setup and those who need the transport layer.

- P