Re: [Savannah-hackers] Re: A request for the website on behalf of the GNU project

[Bradley M. Kuhn]

> > OK, Lets start with an ftp site mirror, and a website mirror.
> > 
> > Do you have a written policy? e.g.:
> 
> At: <http://savannah.gnu.org> you will find a few links to different
> kinds of documentation, including webmastering, please check it up.

Also, I would note that much of this is covered in the GNU Maintainers Guide
(http://www.gnu.org/prep/maintain_toc.html).

We should have some more about savannah/subversions in in the Maintainers
Guide soon.

> If you already have an account on the GNU machines, user your kerberos
> password to log in and then change it to something else.
 
 
> > -- what should the directory structure be?
> 
> WWW:

> CVS:

More about the website and CVS is in the maintainers guide as well.


> > -- how do I get usage/hit/download statistics?
 

For FTP, we have a system to provide logs.  We are going to have to make
some changes due to a problem we just discovered, but it will still be
there.

We can do something similar for websites, too.

 

> > Policy:
> > -- Do you host precompiled binaries?  In the past, FSF has been reticent
> >    about doing this.
 
> I think there will be no problem, but I would prefer somebody to
> re-confirm this.

Now that we have gnuftp with lots of disk space, this is no a problem.  You
have to make sure that the source for all binary versions is also available
in the same place.


> > Security issues:
> > -- Should we md5/gpg sign all our soruces and binaies? I beleive we
> >    should, but do you have any particular recommendations?
> >    (I'm particularly nervous because I don't want to wake up someday
> >    and read on slashdot about how some trojan horse in gnucash has been
> >    e-mailing credit-card numbers to wherever).
 
> We have been discussing about this (not only for savannah), but we haven't
> get a solution yet.

We do encourage maintainers to include a GPG, ascii-armored, signed md5sum
for each file.  It's not required, but you can certainly do it, and we are
happy if you do.
 
> 
> > -- what's the best (automated?) way I can assure that some hacker hasn't 
> >    busted into your site & altered the binaries (or source)?  Do you
> >    have any recommended scripts for rsync+md5 checking?

First, you likely me 'cracker', not hacker.

Do you mean broken into the ftp or website and put trojan horses in the
source/binaries?  This can easily be done, if the md5sum and GPG-signed
files are there.

I don't know of a script that can check this, but it's really easy to write
one in a few minutes.  The important thing is that the GPG-signed, md5sum
files are there.

I can write a script for you if you need it that badly and don't have time
to write it.

> > > > 2) Surveys. I want to create a user survey ('what new
> > > > features..etc.)  I think I finally found some good s/w for that,
> > > > but its sql-backended and I'm paranoid about administering the
> > > > security aspects of that.  Thus, if fsf provided that, I might
> > > > actually realy really consider it.

What is the concern about this software?  That you don't have time to check
its security?  At least one savannah-hacker seems willing to get it
installed, if you want, but I need to be clear what your concerns about
"security aspects" are.

pgphHLB75VOSn.pgp
Description: PGP signature