FESco meeting summary for 20090507

Bill Nottingham notting at redhat.com
Mon May 11 21:57:52 UTC 2009

Toshio Kuratomi (a.badger at gmail.com) said: 
> One thing that was mentioned was the lack of fs acls at the moment.
> After looking at what we have now, I'm not sure that fs acls fix
> anything that's not also broken currently.
> Currently:
> * the cvs repository has no fs acls
> * unix group for all directories is set to packager with a sticky group bit.
> * the cvs acl script limits who can actually commit to packages to
> @provenpackager and the specific people involved.
> Implementation-wise, the proposal would allow the cvs acl script to have
> @packager as another allowed group so people who are just in the
> packager group can commit to a specific package.
> I can see fs acls being used to lock down our repo against bugs in the
> cvs acl script or being used to replace the cvs acl script.  But that
> seems to be somewhat separate from the proposal.  I don't think it would
> solve anything specific to the proposal but could make things more
> secure for both the current and proposed method.
> notting, do you see something that I don't?

You *could* swap the permissions so that all packages are only
provenpackager-writable, and implement packager (and owner) access
via FS acls.

Whether that scales or not is another matter.


More information about the fedora-devel-list mailing list