[2/2] Require TUs to explicitly request to overwrite a pkgbase

Message ID 20170721041340.29622-2-eschwartz@archlinux.org
State Superseded, archived
Headers show
Series [1/2] Emit warning when TUs use their supowerpowers to overwrite a pkgbase | expand

Commit Message

Eli Schwartz July 21, 2017, 4:13 a.m. UTC
AUR_PRIVILEGED allows people with privileged AUR accounts to evade the
block on non-fast-forward commits. While valid in this case, we should
not do so by default, since in at least one case a TU did this without
realizing there was an existing package.
( https://aur.archlinux.org/packages/rtmidi/ )

Use .ssh/config "SendEnv" on the TU's side and and sshd_config
"AcceptEnv" in the AUR server to specifically request privileged access.
TUs should use: `export AUR_PRIVILEGED=1; git push`

Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
---
 INSTALL            | 1 +
 aurweb/git/auth.py | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

Comments

Lukas Fleischer July 21, 2017, 4:47 p.m. UTC | #1
On Fri, 21 Jul 2017 at 06:13:40, Eli Schwartz wrote:
> AUR_PRIVILEGED allows people with privileged AUR accounts to evade the
> block on non-fast-forward commits. While valid in this case, we should
> not do so by default, since in at least one case a TU did this without
> realizing there was an existing package.
> ( https://aur.archlinux.org/packages/rtmidi/ )
> 
> Use .ssh/config "SendEnv" on the TU's side and and sshd_config
> "AcceptEnv" in the AUR server to specifically request privileged access.
> TUs should use: `export AUR_PRIVILEGED=1; git push`
> [...]

I am not sure whether this is a good idea. AUR_PRIVILEGED is not only
used for non-fast-forward pushes. It is used for every SSH interface
command that requires TU privileges, such as disowning other users'
packages or changing the keywords of a package one does not maintain. It
seems rather inconvenient to require TUs to prefix all their superpower
commands with AUR_PRIVILEGED=1.

Actually, TUs should *never* make use of the forced push feature unless
they are dealing with some copyright infringement or removing some other
legally questionable stuff from the history. So it might make sense to
either restrict this feature to very few TUs (those dealing with legal
issues reported to aur-support@archlinux.org) or to add some kind of
extra switch as you suggested -- but only for non-fast-forward pushes.

The warning you implemented in patch 1/2 certainly is a good idea as
well. Thanks!

Regards,
Lukas

Patch

diff --git a/INSTALL b/INSTALL
index 8c9c4dd..22bbe33 100644
--- a/INSTALL
+++ b/INSTALL
@@ -76,6 +76,7 @@  read the instructions below.
         PasswordAuthentication no
         AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k"
         AuthorizedKeysCommandUser aur
+        AcceptEnv AUR_PRIVILEGED
 
 9) If you want to enable smart HTTP support with nginx and fcgiwrap, you can
    use the following directives:
diff --git a/aurweb/git/auth.py b/aurweb/git/auth.py
index 022b0ff..9aab417 100755
--- a/aurweb/git/auth.py
+++ b/aurweb/git/auth.py
@@ -51,7 +51,7 @@  def main():
 
     env_vars = {
         'AUR_USER': user,
-        'AUR_PRIVILEGED': '1' if account_type > 1 else '0',
+        'AUR_PRIVILEGED': os.environ.get('AUR_PRIVILEGED', '0') if account_type > 1 else '0',
     }
     key = keytype + ' ' + keytext