From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <overseers-return-5808-listarch-overseers=sources.redhat.com@sources.redhat.com>
Received: (qmail 29625 invoked by alias); 23 May 2003 16:49:10 -0000
Mailing-List: contact overseers-help@sources.redhat.com; run by ezmlm
Precedence: bulk
List-Archive: <http://sources.redhat.com/ml/overseers/>
List-Post: <mailto:overseers@sources.redhat.com>
List-Help: <mailto:overseers-help@sources.redhat.com>,
	<http://sources.redhat.com/ml/#faqs>
Sender: overseers-owner@sources.redhat.com
Received: (qmail 29589 invoked from network); 23 May 2003 16:49:09 -0000
Received: from unknown (HELO vexpert.dbai.tuwien.ac.at) (128.131.111.2)
  by sources.redhat.com with SMTP; 23 May 2003 16:49:09 -0000
Received: from [128.131.111.60] (acrux [128.131.111.60])
	by vexpert.dbai.tuwien.ac.at (Postfix) with ESMTP id 1AFA513787
	for <overseers@sources.redhat.com>; Fri, 23 May 2003 18:49:08 +0200 (CEST)
Date: Fri, 23 May 2003 16:49:00 -0000
From: Gerald Pfeifer <gerald@pfeifer.com>
To: overseers@sources.redhat.com
Subject: Re: request for gcc web page maintainers
In-Reply-To: <20030523144237.GC5114@redhat.com>
Message-ID: <Pine.BSF.4.55.0305231838460.59128@acrux.dbai.tuwien.ac.at>
References: <20030515193927.GA8980@redhat.com>
 <Pine.BSF.4.55.0305230025020.55857@acrux.dbai.tuwien.ac.at>
 <20030523144237.GC5114@redhat.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-SW-Source: 2003-q2/txt/msg00181.txt.bz2

On Fri, 23 May 2003, Christopher Faylor wrote:
> It's much harder to fake mail than it is to type an address into a web
> page.  There's no security in the web page at all.

The current web page is quote safe.  The applicant only provides the
mail address of the approver which then is sent a URL with a cookie.

That way, if you see "Approved: gerald@pfeifer.com" you can be
sufficiently sure that it was me who approved the account, because a
malicious user can easily spoof mail from me, but he can hardly intercept
mail gcc.gnu.org send _to_ me and thus doesn't know the secret.

> However, the bottom line is that the process doesn't work the way it
> is apparently advertised to be working.

Well, _that's_ a good point. Unless someone steps forward to update the
form, I'm thus going to install the patch below.

> I was just trying to avoid getting spam here.  Wouldn't it be obvious
> from context that an email address was being mentioned, even if the '@'
> was missing for some reason?

I just did that in the patch below. ;-)

Gerald

Index: cvswrite.html
===================================================================
RCS file: /cvs/gcc/wwwdocs/htdocs/cvswrite.html,v
retrieving revision 1.54
diff -u -3 -p -r1.54 cvswrite.html
--- cvswrite.html	21 May 2003 00:12:50 -0000	1.54
+++ cvswrite.html	23 May 2003 16:44:55 -0000
@@ -31,12 +31,8 @@ href="bugs/management.html">edit our bug
 <h2><a name="authenticated">Authenticated access</a></h2>

 <p>Authenticated access is provided via the SSH protocol. Please
-provide us with your public key, which you can generate via the
-<code>ssh-keygen</code> program.  This will store your public key in
-the file <code>.ssh/identity.pub</code> in your home directory.
-Please use <a
-href="http://sources.redhat.com/cgi-bin/pdw/ps_form.cgi">this form</a>
-to supply the file and your other details.</p>
+provide <code>overseers (at) gcc.gnu.org</code> with your SSH public key
+which you can generate via the <code>ssh-keygen</code> program.</p>

 <p>Once we have this information we will set up an account on
 <code>gcc.gnu.org</code> and inform you by mail.  At this point you