As part of our ever vigilant stance towards security around our packaging process, we have added a new feature to upload.cgi (which accepts file uploads into the lookaside cache) which will email the package owner (<package>-owner@fedoraproject.org, specifically) and fedora-extras-commits@redhat.com whenever a file is uploaded to the lookaside cache. Previously this was a big black box and an area of concern.
The message will contain the name of the file, the package concerned, the md5sum, and the user that uploaded it. An example is below:
File upload.cgi for package sportrop-fonts has been uploaded to the lookaside cache with md5sum 26489f9e92601f0f84cfbb278c2b98e1 by jstanley
Please let me know if you have any questions, comments, or room for improvement!
Thanks! -Jon
On Sunday, 22 November 2009 at 01:34, Jon Stanley wrote: [...]
Please let me know if you have any questions, comments, or room for improvement!
It'll provide means for maintainers to verify their changes, and that's always a good thing. Thanks!
Regards, R.
Jon Stanley wrote:
The message will contain the name of the file, the package concerned, the md5sum, and the user that uploaded it. An example is below:
File upload.cgi for package sportrop-fonts has been uploaded to the lookaside cache with md5sum 26489f9e92601f0f84cfbb278c2b98e1 by jstanley
Please let me know if you have any questions, comments, or room for improvement!
Well, since you asked... :)
I'd like to suggest that we use the name of the account uploading the file instead of nobody@fedoraproject.org and tweak the format of the message just a little, to make it easier to compare the output to locally generated md5sum output. An example:
A file has been added to the lookaside cache for sportrop-fonts:
26489f9e92601f0f84cfbb278c2b98e1 sportrop-fonts-1.0.tar.gz
Being lazy, I try to be the last one to volunteer anyone else for work, so I have also made these suggestions in convenient unified diff format (easily applied using git am to the infrastructure puppet repository) at: http://tmz.fedorapeople.org/patches/upload_cgi/
Thanks for adding this feature to the upload scripts. I think it's a good idea. Next up, moving from MD5 to something stronger, like SHA256. ;)
Jon Stanley wrote:
The message will contain the
name of the file, the package
concerned, the md5sum, and the
user that uploaded it. An example is
below:
File upload.cgi for package sportrop-fonts has
been uploaded to the
lookaside cache with md5sum
26489f9e92601f0f84cfbb278c2b98e1 by
jstanley
Please let me know if you have any questions,
comments, or room for
improvement!
Well, since you asked... :)
I'd like to suggest that
we use the name of the account uploading the
file instead of
nobody@fedoraproject.org and tweak the format of the
message
just a little, to make it easier to compare the output to
locally generated md5sum output. An example:
A file
has been added to the lookaside cache for sportrop-fonts:
26489f9e92601f0f84cfbb278c2b98e1 sportrop-fonts-1.0.tar.gz
Being lazy, I try to be the last one to volunteer anyone
else for
work, so I have also made these suggestions in
convenient unified diff
format (easily applied using git am to
the infrastructure puppet
repository) at:
http://tmz.fedorapeople.org/patches/upload_cgi/
Thanks for adding this feature to the upload scripts. I think it's a
good idea. Next up, moving from MD5 to something stronger, like SHA256. ;)
Does anyone know why I'm getting tons of notifications concerning packages for which I am not maintainer, co-maintainer?
-- Todd OpenPGP ->
KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Anyone who is capable of getting themselves made President should
on
no account be allowed to do the job. -- Douglas
Adams
-- fedora-devel-list mailing list fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
On Sun, Nov 22, 2009 at 3:16 PM, Jon Ciesla limb@jcomserv.net wrote:
Does anyone know why I'm getting tons of notifications concerning packages for which I am not maintainer, co-maintainer?
No clue - are you on fedora-extras-commits maybe? You'd get them all in that case.
On Sat, 2009-11-21 at 19:34 -0500, Jon Stanley wrote:
As part of our ever vigilant stance towards security around our packaging process, we have added a new feature to upload.cgi (which accepts file uploads into the lookaside cache) which will email the package owner (<package>-owner@fedoraproject.org, specifically) and fedora-extras-commits@redhat.com whenever a file is uploaded to the lookaside cache. Previously this was a big black box and an area of concern.
Awesome. Thanks a whole bunch!
Jon.
On Sat, 2009-11-21 at 19:34 -0500, Jon Stanley wrote:
As part of our ever vigilant stance towards security around our packaging process, we have added a new feature to upload.cgi (which accepts file uploads into the lookaside cache) which will email the package owner (<package>-owner@fedoraproject.org, specifically) and fedora-extras-commits@redhat.com whenever a file is uploaded to the lookaside cache. Previously this was a big black box and an area of concern.
Minor gripe --- could we have these emitted by a less bogus sender address than "nobody@fedoraproject.org"? That's getting eaten by my spam filters.
regards, tom lane
On Sat, 2009-11-21 at 19:34 -0500, Jon Stanley wrote:
As part of our ever vigilant stance towards security around our packaging process, we have added a new feature to upload.cgi (which accepts file uploads into the lookaside cache) which will email the package owner (<package>-owner@fedoraproject.org, specifically) and fedora-extras-commits@redhat.com whenever a file is uploaded to the lookaside cache. Previously this was a big black box and an area of concern.
The message will contain the name of the file, the package concerned, the md5sum, and the user that uploaded it. An example is below:
File upload.cgi for package sportrop-fonts has been uploaded to the lookaside cache with md5sum 26489f9e92601f0f84cfbb278c2b98e1 by jstanley
Please let me know if you have any questions, comments, or room for improvement!
Can we get an X-Fedora-Upload: header in these or something? Filtering by subject line always makes me feel dirty.
- ajax
Adam Jackson wrote:
Can we get an X-Fedora-Upload: header in these or something? Filtering by subject line always makes me feel dirty.
How about using the Keywords header? That way we can also use it to create a topic for the fedora-extras-commits list. Something like:
Keywords: Fedora file upload ($package, $filename)
perhaps?