
I recently set up a Mercurial hosting solution myself, and noticed that there is no audit trail of who had been writing to the "master" clone. There are commit messages, but they could be fake (even misleading to a different committer). The threat I'm concerned about is that of a stolen SSH key. If that is abused to push suspicious changes into the repository, it is really difficult to find out whose key had been used. The solution I came up with is to define an "incoming" hook on the repository which will log the SSH user along with the pack ID of the pack being pushed. I'd like to propose that a similar hook is installed on repositories hosted at hg.python.org (unless Mercurial offers something better already). Whether or not this log should be publicly visible can be debated; IMO it would be sufficient if only sysadmins can inspect it in case of doubt. Alterntively, the email notification sent to python-checkins could could report who the pusher was. Dirkjan: if you agree to such a strategy, please mention that in the PEP. Regards, Martin

Antoine Pitrou <solipsis <at> pitrou.net> writes:
Martin v. Löwis <martin <at> v.loewis.de> writes:
Alterntively, the email notification sent to python-checkins could could report who the pusher was.
This sounds reasonable, assuming it doesn't disclose any private information.
There are already made solutions for that, as the pushlog hooks used by Mozilla, OpenJDK and others. Mozilla's pushlog can be seen here: http://hg.mozilla.org/mozilla-central/pushloghtml And its code is avaliable here: http://hg.mozilla.org/users/bsmedberg_mozilla.com/hgpoller/file/tip/pushlog-... Dirkjan is its author, so I suppose he was already thinking about having a similar hook for Python repos. Regards, Rafael

Mozilla's pushlog can be seen here:
http://hg.mozilla.org/mozilla-central/pushloghtml
And its code is avaliable here: http://hg.mozilla.org/users/bsmedberg_mozilla.com/hgpoller/file/tip/pushlog-...
Dirkjan is its author, so I suppose he was already thinking about having a similar hook for Python repos.
This seems to just be the code that generates the feed, out of a database pushlog2.db that somehow must be created. So where is the code to actually fill that database? Regards, Martin

On 13/02/2010 15:25, "Martin v. Löwis" wrote:
Mozilla's pushlog can be seen here:
http://hg.mozilla.org/mozilla-central/pushloghtml
And its code is avaliable here: http://hg.mozilla.org/users/bsmedberg_mozilla.com/hgpoller/file/tip/pushlog-...
Dirkjan is its author, so I suppose he was already thinking about having a similar hook for Python repos.
This seems to just be the code that generates the feed, out of a database pushlog2.db that somehow must be created. So where is the code to actually fill that database?
There's some more content here: http://hg.mozilla.org/users/bsmedberg_mozilla.com/hgpoller/file/tip But I don't use it myself, just knew about its existance. Surely Dirkjan can make all the pieces fit nicely :). Rafael

On 13/02/2010 16:03, Rafael Villar Burke (Pachi) wrote:
There's some more content here: http://hg.mozilla.org/users/bsmedberg_mozilla.com/hgpoller/file/tip But I don't use it myself, just knew about its existance. Surely Dirkjan can make all the pieces fit nicely :). The hook code looks like it's here: http://hg.mozilla.org/users/bsmedberg_mozilla.com/hghooks/file/tip The previous repository link is the hgwebdir integration code.
Regards, Rafael

Am 13.02.2010 13:19, schrieb Antoine Pitrou:
Martin v. Löwis <martin <at> v.loewis.de> writes:
Alterntively, the email notification sent to python-checkins could could report who the pusher was.
This sounds reasonable, assuming it doesn't disclose any private information.
How could it disclose more than the SVN hook does today (i.e. who is working on the repo right now)? Georg -- Thus spake the Lord: Thou shalt indent with four spaces. No more, no less. Four shall be the number of spaces thou shalt indent, and the number of thy indenting shall be four. Eight shalt thou not indent, nor either indent thou two, excepting that thou then proceed to four. Tabs are right out.

Georg Brandl wrote:
Am 13.02.2010 13:19, schrieb Antoine Pitrou:
Martin v. Löwis <martin <at> v.loewis.de> writes:
Alterntively, the email notification sent to python-checkins could could report who the pusher was. This sounds reasonable, assuming it doesn't disclose any private information.
How could it disclose more than the SVN hook does today (i.e. who is working on the repo right now)?
It could reveal email addresses, for example, which in turn would attract spammers. However, I assume that Antoine was bringing up privacy just as a general concern, and didn't really expect any specific issue. Regards, Martin

Martin v. Löwis <martin <at> v.loewis.de> writes:
Georg Brandl wrote:
Am 13.02.2010 13:19, schrieb Antoine Pitrou:
Martin v. Löwis <martin <at> v.loewis.de> writes:
Alterntively, the email notification sent to python-checkins could
could
report who the pusher was. This sounds reasonable, assuming it doesn't disclose any private information.
How could it disclose more than the SVN hook does today (i.e. who is working on the repo right now)?
It could reveal email addresses, for example, which in turn would attract spammers. However, I assume that Antoine was bringing up privacy just as a general concern, and didn't really expect any specific issue.
That's right. Thanks for de-obfuscating me :) Regards Antoine.

On Sat, Feb 13, 2010 at 12:53, "Martin v. Löwis" <martin@v.loewis.de> wrote:
Dirkjan: if you agree to such a strategy, please mention that in the PEP.
Having a pushlog and/or including the pusher in the email sounds like a good idea, I'll add something to that effect to the PEP. I slightly prefer adding it to the commit email because it would seem to require less infrastructure, and it can be handy at times to know who pushed something right off the bat. Cheers, Dirkjan

Am 13.02.2010 18:52, schrieb Dirkjan Ochtman:
On Sat, Feb 13, 2010 at 12:53, "Martin v. Löwis" <martin@v.loewis.de> wrote:
Dirkjan: if you agree to such a strategy, please mention that in the PEP.
Having a pushlog and/or including the pusher in the email sounds like a good idea, I'll add something to that effect to the PEP. I slightly prefer adding it to the commit email because it would seem to require less infrastructure, and it can be handy at times to know who pushed something right off the bat.
+1. Georg -- Thus spake the Lord: Thou shalt indent with four spaces. No more, no less. Four shall be the number of spaces thou shalt indent, and the number of thy indenting shall be four. Eight shalt thou not indent, nor either indent thou two, excepting that thou then proceed to four. Tabs are right out.
participants (6)
-
"Martin v. Löwis"
-
Antoine Pitrou
-
Dirkjan Ochtman
-
Georg Brandl
-
Rafael Villar Burke
-
Rafael Villar Burke (Pachi)