APT repository: notify incoming
Originally created by Tails on #5894 (Redmine)
Tell reprepro to email what processincoming
does, probably using
reprepro hooks: file:///usr/share/doc/reprepro/manual.html#hooks, or
piggy-backing on the existing inotifyincoming
system
(https://gitlab.com/shared-puppet-modules-group/reprepro/blob/master/files/inoticoming.init,
https://gitlab.com/shared-puppet-modules-group/reprepro/blob/master/templates/inoticoming.default.erb).
Ideally, the granularity of change notification should be uploading a
.changes
file (which dput/dupload do after they’ve finished uploading
the files referenced in the .changes
file).
The initial research can be done without any special setup: one needs
reprepro with basic configuration and running reprepro processincoming
.
The script/hook that emails changes should allow customizing the destination email address without modifying the code (command line argument, preferably).
Regarding implementation language: Python, Ruby or Modern Perl; but very good shell might be OK. The code should be defensive enough: assume the input is untrusted.
Then, it should be integrated in:
- the
reprepro
Puppet module we’re using: - our
tails::reprepro::custom
Puppet class
Sources of inspiration:
- http://vincent.bernat.im/en/blog/2014-local-apt-repositories.html, that uses https://gist.github.com/vincentbernat/7404733
Now, regarding security, this notification system can be bypassed by
developers with SSH access to the reprepro account: they can run
arbitrary reprepro
commands to modify the contents of our repository.
To bring this to the next level, we need to limit their access to
scp’ing files to the incoming directory (likely with sftp
only
accounts or similar, with adequate ownership/permissions or chroot’ing
to ensure they cannot modify the other repository files directly). Once
the notification system is in place, a new ticket must be created to
track these next steps.
Feature Branch: puppet-tails:feature/5894-reprepro-notify-incoming-changes