From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 9683 invoked by alias); 5 Dec 2010 07:08:31 -0000 Received: (qmail 8570 invoked by uid 22791); 5 Dec 2010 07:07:39 -0000 X-Spam-Check-By: sourceware.org Received: from pool-173-76-56-137.bstnma.fios.verizon.net (HELO cgf.cx) (173.76.56.137) by sourceware.org (qpsmtpd/0.83/v0.83-20-g38e4449) with ESMTP; Sun, 05 Dec 2010 06:04:38 +0000 Received: from ednor.cgf.cx (ednor.casa.cgf.cx [192.168.187.5]) by cgf.cx (Postfix) with ESMTP id 2CCB813C0C9; Sun, 5 Dec 2010 01:04:28 -0500 (EST) Received: by ednor.cgf.cx (Postfix, from userid 201) id 1D8662B352; Sun, 5 Dec 2010 01:04:28 -0500 (EST) Date: Sun, 05 Dec 2010 07:08:00 -0000 From: Christopher Faylor To: overseers@gcc.gnu.org, Daniel Kraft , Hans-Peter Nilsson Subject: Re: Write access from compile farm Message-ID: <20101205060427.GA26279@ednor.casa.cgf.cx> Mail-Followup-To: overseers@gcc.gnu.org, Daniel Kraft , Hans-Peter Nilsson References: <4CFA1571.5030300@domob.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Mailing-List: contact overseers-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: , Sender: overseers-owner@sourceware.org X-SW-Source: 2010-q4/txt/msg00068.txt.bz2 On Sat, Dec 04, 2010 at 07:21:35PM -0500, Hans-Peter Nilsson wrote: >On Sat, 4 Dec 2010, Daniel Kraft wrote: > >> some time ago I started using the GCC compile farm for development; so I'm >> wondering whether it is ok to have SVN write access from the accounts there -- >> or this is considered insecure. What are the policies there? >> >> As SVN write authentication is done with a public key, I guess that this means >> you have to set the access up appropriately up for any machine I want to use >> for check-in, right? So... in case the write-access from compile farm is ok, >> can I generate a public key there and submit it to you -- or what should I do? > >Assuming those who set policies don't disagree, and you're >talking about interactive session (i.e. not a cron job or robot) >just forward the *auhentication session*, no need to forge a new >key or deal with copying keys. Look at what ssh says about its >-A option and ForwardAgent config. (It might even be the >default for you.) I'm not sure, but you might have to have >ssh-agent running. This is actually a better way of doing this than what I suggested since what I suggested means copying a private key to a semi-public machine. >(FWIW, no I wouldn't do that. I just copy the patch and commit >from my "console" machine. You say "tin-foil", I say "hats".) Yeah, ditto, there too. cgf From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10000 invoked by alias); 5 Dec 2010 07:08:36 -0000 Received: (qmail 8575 invoked by uid 22791); 5 Dec 2010 07:07:41 -0000 X-Spam-Check-By: sourceware.org Received: from pool-173-76-56-137.bstnma.fios.verizon.net (HELO cgf.cx) (173.76.56.137) by sourceware.org (qpsmtpd/0.83/v0.83-20-g38e4449) with ESMTP; Sun, 05 Dec 2010 06:20:16 +0000 Received: from ednor.cgf.cx (ednor.casa.cgf.cx [192.168.187.5]) by cgf.cx (Postfix) with ESMTP id 2CCB813C0C9; Sun, 5 Dec 2010 01:04:28 -0500 (EST) Received: by ednor.cgf.cx (Postfix, from userid 201) id 1D8662B352; Sun, 5 Dec 2010 01:04:28 -0500 (EST) Date: Sun, 05 Dec 2010 08:33:00 -0000 From: Christopher Faylor To: overseers@gcc.gnu.org, Daniel Kraft , Hans-Peter Nilsson Subject: Re: Write access from compile farm Message-ID: <20101205060427.GA26279@ednor.casa.cgf.cx> Mail-Followup-To: overseers@gcc.gnu.org, Daniel Kraft , Hans-Peter Nilsson References: <4CFA1571.5030300@domob.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Mailing-List: contact overseers-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: , Sender: overseers-owner@sourceware.org X-SW-Source: 2010-q4/txt/msg00069.txt.bz2 Message-ID: <20101205083300.2mx_Wsn3D7M9BtQE27eO5O1jt5Rxednxn08eEL_vapA@z> On Sat, Dec 04, 2010 at 07:21:35PM -0500, Hans-Peter Nilsson wrote: >On Sat, 4 Dec 2010, Daniel Kraft wrote: > >> some time ago I started using the GCC compile farm for development; so I'm >> wondering whether it is ok to have SVN write access from the accounts there -- >> or this is considered insecure. What are the policies there? >> >> As SVN write authentication is done with a public key, I guess that this means >> you have to set the access up appropriately up for any machine I want to use >> for check-in, right? So... in case the write-access from compile farm is ok, >> can I generate a public key there and submit it to you -- or what should I do? > >Assuming those who set policies don't disagree, and you're >talking about interactive session (i.e. not a cron job or robot) >just forward the *auhentication session*, no need to forge a new >key or deal with copying keys. Look at what ssh says about its >-A option and ForwardAgent config. (It might even be the >default for you.) I'm not sure, but you might have to have >ssh-agent running. This is actually a better way of doing this than what I suggested since what I suggested means copying a private key to a semi-public machine. >(FWIW, no I wouldn't do that. I just copy the patch and commit >from my "console" machine. You say "tin-foil", I say "hats".) Yeah, ditto, there too. cgf From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10230 invoked by alias); 5 Dec 2010 07:08:38 -0000 Received: (qmail 8586 invoked by uid 22791); 5 Dec 2010 07:07:42 -0000 X-Spam-Check-By: sourceware.org Received: from pool-173-76-56-137.bstnma.fios.verizon.net (HELO cgf.cx) (173.76.56.137) by sourceware.org (qpsmtpd/0.83/v0.83-20-g38e4449) with ESMTP; Sun, 05 Dec 2010 07:00:13 +0000 Received: from ednor.cgf.cx (ednor.casa.cgf.cx [192.168.187.5]) by cgf.cx (Postfix) with ESMTP id 2CCB813C0C9; Sun, 5 Dec 2010 01:04:28 -0500 (EST) Received: by ednor.cgf.cx (Postfix, from userid 201) id 1D8662B352; Sun, 5 Dec 2010 01:04:28 -0500 (EST) Date: Sun, 05 Dec 2010 18:28:00 -0000 From: Christopher Faylor To: overseers@gcc.gnu.org, Daniel Kraft , Hans-Peter Nilsson Subject: Re: Write access from compile farm Message-ID: <20101205060427.GA26279@ednor.casa.cgf.cx> Mail-Followup-To: overseers@gcc.gnu.org, Daniel Kraft , Hans-Peter Nilsson References: <4CFA1571.5030300@domob.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Mailing-List: contact overseers-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: , Sender: overseers-owner@sourceware.org X-SW-Source: 2010-q4/txt/msg00070.txt.bz2 Message-ID: <20101205182800.JXVzJZKEib9ZEoY8qpltHQhM9mEFF8h8VzUVvFBS3XI@z> On Sat, Dec 04, 2010 at 07:21:35PM -0500, Hans-Peter Nilsson wrote: >On Sat, 4 Dec 2010, Daniel Kraft wrote: > >> some time ago I started using the GCC compile farm for development; so I'm >> wondering whether it is ok to have SVN write access from the accounts there -- >> or this is considered insecure. What are the policies there? >> >> As SVN write authentication is done with a public key, I guess that this means >> you have to set the access up appropriately up for any machine I want to use >> for check-in, right? So... in case the write-access from compile farm is ok, >> can I generate a public key there and submit it to you -- or what should I do? > >Assuming those who set policies don't disagree, and you're >talking about interactive session (i.e. not a cron job or robot) >just forward the *auhentication session*, no need to forge a new >key or deal with copying keys. Look at what ssh says about its >-A option and ForwardAgent config. (It might even be the >default for you.) I'm not sure, but you might have to have >ssh-agent running. This is actually a better way of doing this than what I suggested since what I suggested means copying a private key to a semi-public machine. >(FWIW, no I wouldn't do that. I just copy the patch and commit >from my "console" machine. You say "tin-foil", I say "hats".) Yeah, ditto, there too. cgf From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 9870 invoked by alias); 5 Dec 2010 07:08:34 -0000 Received: (qmail 8583 invoked by uid 22791); 5 Dec 2010 07:07:42 -0000 X-Spam-Check-By: sourceware.org Received: from pool-173-76-56-137.bstnma.fios.verizon.net (HELO cgf.cx) (173.76.56.137) by sourceware.org (qpsmtpd/0.83/v0.83-20-g38e4449) with ESMTP; Sun, 05 Dec 2010 06:40:19 +0000 Received: from ednor.cgf.cx (ednor.casa.cgf.cx [192.168.187.5]) by cgf.cx (Postfix) with ESMTP id 2CCB813C0C9; Sun, 5 Dec 2010 01:04:28 -0500 (EST) Received: by ednor.cgf.cx (Postfix, from userid 201) id 1D8662B352; Sun, 5 Dec 2010 01:04:28 -0500 (EST) Date: Mon, 06 Dec 2010 14:14:00 -0000 From: Christopher Faylor To: overseers@gcc.gnu.org, Daniel Kraft , Hans-Peter Nilsson Subject: Re: Write access from compile farm Message-ID: <20101205060427.GA26279@ednor.casa.cgf.cx> Mail-Followup-To: overseers@gcc.gnu.org, Daniel Kraft , Hans-Peter Nilsson References: <4CFA1571.5030300@domob.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Mailing-List: contact overseers-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: , Sender: overseers-owner@sourceware.org X-SW-Source: 2010-q4/txt/msg00071.txt.bz2 Message-ID: <20101206141400.d_8kXrP-SglS4VN1gRTbo8xsVfEvGodOWHMMT8uKHVk@z> On Sat, Dec 04, 2010 at 07:21:35PM -0500, Hans-Peter Nilsson wrote: >On Sat, 4 Dec 2010, Daniel Kraft wrote: > >> some time ago I started using the GCC compile farm for development; so I'm >> wondering whether it is ok to have SVN write access from the accounts there -- >> or this is considered insecure. What are the policies there? >> >> As SVN write authentication is done with a public key, I guess that this means >> you have to set the access up appropriately up for any machine I want to use >> for check-in, right? So... in case the write-access from compile farm is ok, >> can I generate a public key there and submit it to you -- or what should I do? > >Assuming those who set policies don't disagree, and you're >talking about interactive session (i.e. not a cron job or robot) >just forward the *auhentication session*, no need to forge a new >key or deal with copying keys. Look at what ssh says about its >-A option and ForwardAgent config. (It might even be the >default for you.) I'm not sure, but you might have to have >ssh-agent running. This is actually a better way of doing this than what I suggested since what I suggested means copying a private key to a semi-public machine. >(FWIW, no I wouldn't do that. I just copy the patch and commit >from my "console" machine. You say "tin-foil", I say "hats".) Yeah, ditto, there too. cgf