On Mon, Apr 27, 2015 at 10:21:57AM -0400, Colin Walters wrote:
On Mon, Apr 27, 2015, at 09:45 AM, Pierre-Yves Chibon wrote:
>
> This has lead me to the question: Is this all what SSL certs are bringing us?
I think the ability to do a commit should be thought of as equivalent to the ability
to do a build - because anyone who can commit something to a package will
cause it to be implicitly included in the build that another person does
That implies build access should be gated by SSH key, not by API token or
SSL certificate. (Or alternatively the commit authentication method changed
to match whatever is chosen for build)
But we allow new-comers to make scratch-build on koji before they are in the
packager group. Giving them the opportunity to test their build in real
condition.
Using ssh could also become problematic for application like koschei no?
Pierre