Opened 18 months ago

Closed 16 months ago

Last modified 16 months ago

#26849 closed defect (wontfix)

Upload sbws releases in dist.torproject.org

Reported by: juga Owned by:
Priority: Medium Milestone:
Component: Internal Services/Service - dist Version:
Severity: Normal Keywords: sbws
Cc: pastly, teor Actual Points:
Parent ID: #26848 Points:
Reviewer: Sponsor:

Description

Some Core Tor components use https://dist.torproject.org/ to upload releases.
It would be useful to have sbws releases also published there.
They should be created with git archive and gpg signed.
They can be created from sbws tags (that are already currently signed).
This would be also facilitate sbws debian package (#26848) to detect when there are new sbws releases without depending on Github automatic releases from tags.

I think this would require to create a directory called sbws, give permissions to pastly (and optionally juga).

Child Tickets

Change History (7)

comment:1 Changed 18 months ago by juga

Parent ID: #26848

Add parent

comment:2 Changed 18 months ago by nickm

I am +1 with doing this if the permissions can be isolated to a single sbws directory.

comment:3 Changed 18 months ago by juga

nickm, would you mind to create a new ticket and gpg signed?.

According to [0] and weasel, it's not me who must create the ticket:

If you want to get added to some unix group, you will have to find an existing member of that group. They should then request on trac – ideally in a PGP signed message (as above in the new account creation section) – that you be added to their group.

https://help.torproject.org/tsa/doc/accounts/

comment:4 Changed 18 months ago by juga

The person that create it must be in the group that has the permission

comment:5 Changed 17 months ago by nickm

I'm happy to ask for this but I don't know the right from for asking for a new unix group; I only see how to get added to an existing one there. Do we know if it is possible to get the new group able to upload to just this directory?

comment:6 Changed 16 months ago by juga

Resolution: wontfix
Status: newclosed

As commented in https://trac.torproject.org/projects/tor/ticket/27145, is not currently possible to use dist.tpo

comment:7 Changed 16 months ago by arma

For historical context, we spoke of four options:

(a) you give one of the torwww people a link to a thing and they stick the thing on dist. there are enough people in torwww that i bet this would work fine.

(b) we pick one of the three and add them to torwww and hope that it doesn't make the fire that is torwww burn higher. (knowing that every person in the group can go modify every download, if
they want or if their computer gets compromised enough)

(c) stick the files somewhere else" if that's a fine choice for you

(d) make a new group that can write to one dir. torwww can still steal your thing, and it means torwww is unable to clean things up without root because it's a bad option.

I am unexcited about 'd' because it means we go even deeper into the wrong solution.

The right solution is to implement #13134 so torwww actually has a scalable way to keep track of files. Right now 13 people can go edit any the files on dist, and adding more people to that set is not necessarily wise.

That said, I am open to options 'a' or 'b' if they resume looking better than option 'c'.

Note: See TracTickets for help on using tickets.