[darcs-users] suggestion: each push should identify its target repo internally
David Roundy
droundy at abridgegame.org
Thu Aug 14 14:26:40 UTC 2003
On Wed, Aug 13, 2003 at 05:54:28PM -0700, John Meacham wrote:
> It is just good software design to make darcs as generic and simple as
> possible and build infrastructure on top of it for dealing with specific
> configurations.
Agreed. Also, with respect to the security concerns issue. However, I'd
prefer not to have darcs at all involved in choosing the repository or
allowed_keys file. It doesn't seem all that hard to do this in procmail:
:0:
* ^DarcsURL:.*darcs
| darcs apply -r --repodir /home/droundy/darcs
:0:
* ^DarcsURL:.*abridge
| darcs apply -r --repodir /home/droundy/abridge
The location of the allowed_keys file can already be specified on a
per-repository basis using the _darcs/prefs/defaults by adding a line
"apply verify /path/to/allowed_keys". Or it could be specified in the
procmail recipe if you like.
I'm not comfortable building infrastructure into darcs for dispatching
patches patches to repos because unless you are rather careful (or only
include your own key in allowed_keys), you could be opening up security
holes in your system by running multiple pushable repos as the same user.
Anyone who has write access to a repo that runs the test on applied patches
can run arbitrary code on your system. Unless you make
_darcs/prefs/defaults owned by a different user, anyone who has write
access to a repo can probably turn on testing and run arbitrary code even
if you have testing turned off. If you have _darcs/prefs/defaults owned by
root in one repo to which you give others access, but it is owned by your
user in your private (but pushale) repo, users with access to the public
repo may be able to modify your private repo and run arbitrary code on your
computer.
The last of my two objections are based on the assumption that darcs is
insufficiently careful with where it makes modifications. The reason for
this is that in the "normal" case, I expect that anyone using darcs has the
right to run arbitrary code on the machine, since it's best to always run
the test scripts, assuming a project has them. It would be nice to try to
ensure that darcs doesn't allow patches to modify either the contents of
_darcs (except, of course, via setpref) or anything outside of the repo,
but that would probably be hard (and even harder to prove bug-free).
However, if anyone does want programs to dispatch patches, it wouldn't be
much harder to write such a thing external to darcs itself.
--
David Roundy
http://www.abridgegame.org
More information about the darcs-users
mailing list