From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/75276
Path: news.gmane.org!not-for-mail
From: Ted Zlatanov <tzz@lifelogs.com>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: Add note about Oort Gnus releases, and No Gnus.
Date: Sun, 19 Dec 2010 08:41:32 -0600
Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @
 Cienfuegos
Message-ID: <87zks1su3n.fsf@lifelogs.com>
References: <m2r5e6kbua.fsf@verilab.com> <87eia67lxj.fsf@topper.koldfront.dk>
	<m2mxouk42h.fsf@verilab.com> <871v667ger.fsf@topper.koldfront.dk>
	<87lj3slziq.fsf@lifelogs.com> <87oc8lzb3v.fsf_-_@topper.koldfront.dk>
	<87r5dh7650.fsf@lifelogs.com> <87ipys4hb8.fsf@lifelogs.com>
	<m3aak4fpi9.fsf@quimbies.gnus.org> <877hf7glmk.fsf@lifelogs.com>
	<874oabnm4x.fsf@topper.koldfront.dk> <87wrn7dro5.fsf@lifelogs.com>
	<87zks3m6gu.fsf@topper.koldfront.dk> <87k4j7dpwq.fsf@lifelogs.com>
	<87r5demzhh.fsf@topper.koldfront.dk>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: dough.gmane.org 1292769726 20396 80.91.229.12 (19 Dec 2010 14:42:06 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Sun, 19 Dec 2010 14:42:06 +0000 (UTC)
To: ding@gnus.org
Original-X-From: ding-owner+M23629@lists.math.uh.edu Sun Dec 19 15:42:01 2010
Return-path: <ding-owner+M23629@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from util0.math.uh.edu ([129.7.128.18])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <ding-owner+M23629@lists.math.uh.edu>)
	id 1PUKSW-0002w6-Me
	for ding-account@gmane.org; Sun, 19 Dec 2010 15:42:01 +0100
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by util0.math.uh.edu with smtp (Exim 4.63)
	(envelope-from <ding-owner+M23629@lists.math.uh.edu>)
	id 1PUKSM-0005GI-2Y; Sun, 19 Dec 2010 08:41:50 -0600
Original-Received: from mx1.math.uh.edu ([129.7.128.32])
	by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <ding-account@m.gmane.org>)
	id 1PUKSK-0005G5-PH
	for ding@lists.math.uh.edu; Sun, 19 Dec 2010 08:41:48 -0600
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx1.math.uh.edu with esmtp (Exim 4.72)
	(envelope-from <ding-account@m.gmane.org>)
	id 1PUKSJ-0006Mc-4G
	for ding@lists.math.uh.edu; Sun, 19 Dec 2010 08:41:48 -0600
Original-Received: from lo.gmane.org ([80.91.229.12])
	by quimby.gnus.org with esmtp (Exim 4.72)
	(envelope-from <ding-account@m.gmane.org>)
	id 1PUKSH-0004AB-Qp
	for ding@gnus.org; Sun, 19 Dec 2010 15:41:45 +0100
Original-Received: from list by lo.gmane.org with local (Exim 4.69)
	(envelope-from <ding-account@m.gmane.org>)
	id 1PUKSG-0002oq-P7
	for ding@gnus.org; Sun, 19 Dec 2010 15:41:44 +0100
Original-Received: from c-67-186-102-106.hsd1.il.comcast.net ([67.186.102.106])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ding@gnus.org>; Sun, 19 Dec 2010 15:41:44 +0100
Original-Received: from tzz by c-67-186-102-106.hsd1.il.comcast.net with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ding@gnus.org>; Sun, 19 Dec 2010 15:41:44 +0100
X-Injected-Via-Gmane: http://gmane.org/
Original-Lines: 41
Original-X-Complaints-To: usenet@dough.gmane.org
X-Gmane-NNTP-Posting-Host: c-67-186-102-106.hsd1.il.comcast.net
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/24.0.50 (gnu/linux)
Cancel-Lock: sha1:kGLVKBlTKegU2qbsxKbG7xvnf10=
X-Spam-Score: -1.9 (-)
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:75276
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/75276>

On Sun, 19 Dec 2010 00:29:30 +0100 asjo@koldfront.dk (Adam Sjøgren) wrote: 

AS> On Sat, 18 Dec 2010 10:08:53 -0600, Ted wrote:
>> No, because pulling in place means that at least for a little bit you
>> have the wrong permissions on things.

AS> How come? Does any of the files on the website need special permissions?

Not currently.  But like I said, Git is plain stupid when it comes to
permissions and I don't want to trust it with them.  Maybe if we
combined Git with metastore or etckeeper it would work, but I'm not
confident and the scale of this work doesn't warrant it.

>>>> Also the .git directory under the HTML tree would bother me and is a
>>>> potential security risk.

AS> Again I am probably dense, but how would the content of .git pose a
AS> security risk?

>> It could be used by an attacker to hide files, for instance.

AS> If an attacker can put files in .git, couldn't he put them anywhere else
AS> as well?

It's a hidden directory that's served by the webserver, which makes it a
nice juicy target.  It's a small security risk but I'd rather not take it.

AS> To me a deployment process that uses sudo a number of times seems more
AS> questionable than one that runs fewer commands and unprivileged, but
AS> what do I know :-)

I realized I forgot to qualify the paths completely when you mentioned
that :)

I don't think sudo is a problem when it calls trusted commands with
known parameters.  I know exactly what chown, chmod, and rsync will do
as I listed them.  Git, on the other hand, is extremely complex and, as
I said, not written with security in mind.  So my choices are more
conservative.

Ted