From 344723b9741239efc23757b82596c3b08549db7a Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Wed, 16 Sep 2009 22:25:32 +0530 Subject: [PATCH] conf+doc/3: explain why we don't like "exclude rules" in refexes --- conf/example.conf | 2 +- doc/3-faq-tips-etc.mkd | 52 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+), 1 deletion(-) diff --git a/conf/example.conf b/conf/example.conf index 14c6817..7170140 100644 --- a/conf/example.conf +++ b/conf/example.conf @@ -94,6 +94,6 @@ repo @privrepos thirdsecretrepo RW+ pu = bruce RW master next = bruce RW refs/tags/v[0-9].* = bruce - RW refs/tags/ = @secret_staff + RW refs/tags/ss/ = @secret_staff RW tmp/.* = @secret_staff R = @secret_staff diff --git a/doc/3-faq-tips-etc.mkd b/doc/3-faq-tips-etc.mkd index 465959c..6fcc649 100644 --- a/doc/3-faq-tips-etc.mkd +++ b/doc/3-faq-tips-etc.mkd @@ -8,10 +8,13 @@ In this document: * differences from gitosis * two levels of access rights checking * error checking the config file + * built-in logging * one user, many keys * who am I? * other cool things * developer specific branches + * design choices + * why we don't do "excludes" ### common errors and mistakes @@ -249,3 +252,52 @@ first check: RW dummy = user3 Just don't *show* the user this config file; it might sound insulting :-) + +### design choices + +#### why we don't do "excludes" + +I found an error in the example conf file. This snippet *seems* to say that +"bruce" can write versioned tags (`refs/tags/v[0-9].*`), but the other +staffers can't: + + @staff = bruce whitfield martin + [... and later ...] + RW refs/tags/v[0-9].* = bruce + RW refs/tags = @staff + +But that's not how the matching works. As long as any refex matches the +refname being updated, it's a "yes". So the second refex lets anyone on +`@staff` create versioned tags, not just Bruce. + +One way to fix this is to allow "excludes" -- some changes in syntax, combined +with a rigorous, ordered, interpretation would do it. + +But if you're ever played with squid ACLs, or the include/exclude rules for +rsync, or rdiff-backup, or even git's own ignore mechanism, you'll see why I +won't do this. It bloats the code and the docs, and, despite all the docs, +*still* confuses people, which may then *reduce* security! + +Squid, rsync, gitignore, and all *need* the feature and so tolerate all this; +but we don't need it. All we need to do is make the refexes *disjoint* in +what they match (i.e., ensure that no refname can be matched by more than one +refex): + + RW refs/tags/v[0-9].* = bruce + RW refs/tags/staff/ = @staff + +In general, you probably want to control the refnames writable by devs anyway, +if at least to maintain some sanity, so being forced to make the refexes +disjoint is not a big problem. Here's an example: only the `project_lead` can +make arbitrarily named refs, while the rest have to stay within their assigned +namespaces: + + RW+ = project_lead + RW refs/tags/qa/ = @qa_team + RW bugID/ = @dev_team + RW trac/ = @dev_team + +The lack of overlap between refexes ensures ***no confusion*** in specifying, +understanding, and ***auditing***, what is allowed and what is not. + +And in security, "no confusion" is a good thing :-)