Re: [GNUnet-developers] Discussion, and Help Wanted: Moving to Gitlab for Git, CI, and Issues

[Devan C. - dvn]

Florian Dold transcribed 9.8K bytes:
> Thanks for taking the time to set this up.  So far some things don't
> seem right yet:
> 
> There is a massive security problem.  Everybody (!!) is able to create
> accounts and set their password, *without* being the owner of the
> respective email address.  As "proof", I've been so friendly to create
> an account and sample project "as Christian" (sorry Christian!).
> 
> https://gitlab.gnunet.org/grothoff/gitlab-is-so-awesome-but-insecure
> 
> Note that this account has Christian's email address associated with it
> (which I obviously don't control), but I was able to set his password.
> There was no email confirmation step, like there usually is with most
> other platforms.  This is, eh, not great.  I can sign up anybody else,
> they won't get a confirmation.
> 
> (Of course anybody can create an account with a fake name and email
> address, but I would expect that you can only log in after you've
> confirmed that you CONTROL that email address.)

Looks like I should have been more explicit: 

Until email/smtp is setup we will not have confirmation emails.

Another aspect which I could elaborate upon:
Until we create groups/namespaces which replicate the current Gitolite
structure, _including the permissions_, then yes, people can create
namespaces and repos which would conflict. 


Neither of these are actual problems right now, because it is easy
enough to manually administer, prune, and moderate. I've deleted your
"fake" Christian Grothoff account, and all the repos along with it.
Took only a moment and a couple of clicks.

I've also tightened up the permissions on the GNUnet group. "No harm, no
foul" as they say...

To prevent any additional alarm, I have disabled registration. We can
re-enable once we have email confirmation setup.

[...]
> * when I go to gitlab.gnunet.org, it asks me for a login.  instead it
> should show me the list of projects

Yep, that's on my list of tasks. I forgot to mention it. Cheers!

> * even when I click on "Explore" in the footer, it shows me an empty
> list of "trending repositories", so the actual list of repositories is
> two clicks away from the landing page.

Not sure if we can "fix" this easily, however once we start populating
the instance with repos and activity, then repos will show up there.

> 
> And a more general comment:  Having some CI bot that rejects bad commits
> would be great.  But I'd rather dislike if we would define a bunch of
> gatekeepers who have to approve merge request from contributors.  So I'd
> prefer if we were liberal with giving access to the main gnunet repo,
> and not create some heavy gatekeeping policies.
> 

I think there is enough to discuss on this point, that I have
already been planning to start an independent thread on the matter...

Will follow up soon. Probably tomorrow.

- Devan

signature.asc
Description: PGP signature