savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-help-public] [sr #107077] bzr+ssh:// preferable to sftp://

From: Sylvain Beucler
Subject: [Savannah-help-public] [sr #107077] bzr+ssh:// preferable to sftp://
Date: Thu, 12 Nov 2009 10:09:03 +0000
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102815 Iceweasel/3.0.6 (Debian-3.0.6-3) 
Update of sr #107077 (project administration):

             Assigned to:                    None => Beuc                   
             Open/Closed:                    Open => Closed                 

    _______________________________________________________

Follow-up Comment #6:

At Savannah we do not allow local shell access to make it harder for users to
attempt to exploit vulnerabilities before fixes are applied.

Consequently we will not offer both sftp: and bzr+ssh: at the same time, as
the combination of both would allow users to run arbitrary commands on the
server through commit hooks, in effect getting local access.

At a point we may move to bzr+ssh completely, but this requires moving all
the projects at once, and making sure they can create the directory layouts
they need through our web interface. Currently, there is not enough incentive,
or time, to do so. In particular it seems server-side commit hook'ing is
supported, but there are few actual server-side commit hooks.

As for installing the recent 2.0, we'll wait until this is properly support
in Debian stable, or possibly Debian backports.

So it is a bit more complicated than just installing a piece of software on
our servers.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107077>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]