[repoman] transport mechanism
Dan McGee
dpmcgee at gmail.com
Tue Jul 10 23:02:08 EDT 2007
On 7/10/07, Paul Mattal <paul at mattal.com> wrote:
> Jason Chu wrote:
> > On Mon, Jul 09, 2007 at 12:20:58PM -0400, Paul Mattal wrote:
> >> Jason Chu wrote:
> >>> But ssh can be run on multiple ports... even with a custom client/server
> >>> you'd probably still run it on multiple ports for multiple instances.
> >> Yes, but then do you set up a separate user system? I don't want
> >> everyone authenticating off one password file.
> >
> > I was thinking it'd be different chroots per instance. That way it is
> > different password files (repo.or.cz uses just ssh-keys, which I think
> > works pretty well).
>
> I'm slowly coming around. Given the signature method of validating
> packages, I actually don't care who uploads them, as long as it's
> someone we basically trust (who won't DoS us). In that case, we can have
> one chroot jailed SSH and one set of accounts (and/or keys) for
> uploaders. The db would be responsible for having the signature for each
> package in advance and so could guarantee they're authentic.
>
> The remaining piece is that an upload needs also to trigger an action. I
> suppose this could be done by an "upload monitor" watching a directory
> and handling files as they appear there. This is probably safest because
> the monitor can live outside the chroot jail, guaranteeing the uploaders
> cannot manipulate or examine any aspect of the monitor.
>
> Yes, I think I'm sold. Additional advantage is that if you're running a
> local system, you just point your monitor at some directory and it's up
> to users to just move their packages in there. So it works for people
> with a lightweight setup and those who need the transport layer.
Sorry for being late on chiming in here.
I like this idea, because we aren't reinventing the wheel. With a
little outside help from a shell script, it should be minimal
configuration for anyone to get this special sshd running. Using
something like git-shell, which allows only restricted subsets of
commands to be run, is ideal for this kind of situation.
The upload monitor could even be called by the uploader themselves,
although monitoring a directory isn't a bad idea. That just entails
having another daemon running however, and keeping these numbers down
seems like a smart idea.
This also would allow us to see who actually uploaded a package, should we care.
+1 on this solution working for local systems as well.
-Dan
More information about the repoman
mailing list