X-Authentication-Warning: delorie.com: mail set sender to geda-user-bounces using -f
X-Recipient: geda-user AT delorie DOT com
Message-ID: <20121116200917.6483.qmail@stuge.se>
Date: Fri, 16 Nov 2012 21:09:16 +0100
From: Peter Stuge <peter AT stuge DOT se>
To: geda-user AT delorie DOT com
Subject: Re: [geda-user] git mirror of gedasymbols.org
Mail-Followup-To: geda-user AT delorie DOT com
References: <20121116030224 DOT 5c7750ee AT akka> <201211160225 DOT qAG2PrVD005630 AT envy DOT delorie DOT com> <20121116035513 DOT 14519 DOT qmail AT stuge DOT se> <201211160357 DOT qAG3vUXo017504 AT envy DOT delorie DOT com> <20121116041216 DOT 16057 DOT qmail AT stuge DOT se> <201211160428 DOT qAG4Sh3h018631 AT envy DOT delorie DOT com> <llhhn9x25t DOT ln2 AT skate DOT rswarbrick> <201211161728 DOT qAGHSUC6013961 AT envy DOT delorie DOT com> <20121116174030 DOT 25894 DOT qmail AT stuge DOT se> <201211161816 DOT qAGIGpEJ019458 AT envy DOT delorie DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201211161821.qAGILXBK020265@envy.delorie.com> <201211161816.qAGIGpEJ019458@envy.delorie.com>
Reply-To: geda-user AT delorie DOT com
Errors-To: nobody AT delorie DOT com
X-Mailing-List: geda-user AT delorie DOT com
X-Unsubscribes-To: listserv AT delorie DOT com
Precedence: bulk

Sorry, I don't follow part of your first mail.

DJ Delorie wrote:
> > Repo-per-user wouldn't (and must not!) be different. Depending on if
> > users should access any other repository than their gedasymbols one
> > both user and repository can be created in one go.
> 
> Changing someone's admin permissions

Which admin permissions do you mean?


> means adding/removing that user on every single git repo (plus
> adding them on new repos).

Which repos do you mean by "every single git repo" and "new repos" ?


> Must deal with conflicts if the top-level repo happens to have
> stuff in a per-user directory.

The top-level repo wouldn't have content, it would only tie per-user
repos together. A top-level repo isn't strictly needed actually - but
could be a natural place to store scripts and maybe non-user parts of
the website.


> If you use gitk, adding a user means committing to multiple
> repositories.

Hm? Only if the user is actually supposed to write to multiple repos?

For gedasymbols that wouldn't make much sense if we decide that
symbol repos are per user, those repositories would only ever be
written to by their respective owners.

Of course the owners can also have permission to write to other,
non-gedasymbols, repositories on the same server.


There are two popular ways to deal with multiple users and git, and
one, or both, or even something else might be a good fit for us.

One way is gitolite. I find that a bit fragile and complicated, but
it does allow very fine-grained control of who does what where. There
is only one system user, authentication is by public key SSH, all
repo permissions are managed per SSH key.

Another way, and the way I strongly prefer, is to create actual
system users for each user, and manage permissions with repository
granularity using groups and filesystem permissions. A POSIX ACL,
specifically a default mask, is required in order to avoid umask
problems. The shell is set to git-shell, which allows no other
operations on the system besides git actions.

I use the latter approach for successfully hosting several projects
with different usage patterns (single shared repo, as well as
per-user repos) since a few years.


> > What's the current authentication method? pserver or SSH?
> 
> pserver

OK, yes, that would indeed change, but another method must of course
remain as easy to manage! Fortunately, that's not a big problem. :)


DJ Delorie wrote:
> > > That separates authentication from attribution.  Too easy to put
> > > someone else's name on a file and commit it.
> > 
> > I'm sorry, but I don't get why that is a bug and not a feature?
> 
> If you steal a footprint and put my name on it, I get in trouble.

Aha! But since I can only put symbols in my own repository it's very
easy for everyone to see that in fact you had nothing to do with it.


If we wanted to, we could easily make per-user gedasymbol
repositories reject any commits with author != repo owner.

I would suggest to match only full name, not email, since people may
change email. The owner would be the value of pw_gecos, as set when
the user is created. (And can be updated if someone changes their
name.)

Another possibility, allowing less checking and relying more on
trusting each other, would be to require every commit to be
Signed-off-by: similar to Linux kernel commits.

And yet another possibility to think of is pgp-signed commits.


I personally think that rejecting author!=owner commits is already
going really far, but it's so easy to do that I wouldn't mind
doing it.


//Peter