[Freedombox-discuss] FreedomBox UI in your language
Sunil Mohan Adapa
sunil at medhas.org
Thu Dec 3 04:42:13 UTC 2015
On 12/02/2015 05:36 PM, Petter Reinholdtsen wrote:
[...]
> This would mean the Weblate web service have commit access to our git
> repository, either using a ssh key with no password (scary) or a
> password protected ssh key and an ssh-agent with the password available
> for the web server to use (also scary). And any security issue with
> Weblate could lead to unwanted commits to the Plinth git repository
> (even scarier).
This is not all that bad. Every developer and every developer's Github
account has full copies of the entire Plinth git repository. If ever
any bad commits or history changes happen to the repository, it will be
caught due to hash changes that will be introduced with Git due to such
an operation. We can take action and easily ban and restore then.
This is not too different from our relaxed policy of allowing many
developers to write to the repository (especially on Alioth). Any of
their machines or SSH keys could get compromised and lead to malicious
commits to the repository, but that will be easily identified and fixed.
We can treat Weblate as one of our developers.
--
Sunil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20151203/863fd28b/attachment.sig>
More information about the Freedombox-discuss
mailing list