Q: Access Control Options

Maritza Mendez martitzam at gmail.com
Thu Sep 30 19:39:32 BST 2010 

On Thu, Sep 30, 2010 at 1:45 AM, Alexander Belchenko <bialix at ukr.net> wrote:

> Maritza Mendez пишет:
>
>
>>
>> On Wed, Sep 29, 2010 at 1:45 AM, Alexander Belchenko <bialix at ukr.net<mailto:
>> bialix at ukr.net>> wrote:
>>
>>    Maritza Mendez пишет:
>>
>>         Hi.  There are a couple current threads here (ok, including one
>>        I started) which include discussion of ACL-like properties for
>>        branches.  So I assume there is interest in this topic.  I have
>>        had typically bad expereinces with the ACL layer tacked onto
>>        some commercial version control systems.  So I am very cautious
>>        about suggesting similar "enhancements" to bzrlib.  Instead,
>>        I've been thinking about the Un*x way -- many "little" tools,
>>        each of which does one job extremely well -- and leveraging the
>>        expertise and architecture already baked into every Linux box.
>>
>>
>>    I was so naive to expect something which can be run on Windows-based
>>    server machine... Silly me.
>>
>>
>> I'm assuming that's humor which I am unable to translate.  :)
>>
>
> That's a sad humor. I'm even not sure it was funny.
>
> I don't have your experience about SVN auth solutions, and therefore I
> don't understand why built-in ACL support in the bzr:// protocol would hurt.
> I would like to understand all issues here. But as my naive expectation such
> thing like built-in ACL and simple users management will be so easy to use
> for people so everybody would love to use only the fastest bzr:// protocol
> because it would be so easy to set it up.
>
> For example, there is still no bzr+ssh:// support on Savannah, only sftp.
> Why? Maybe because bzr+ssh:// is a bit harder to setup?
>
> My personal interest in easy and built-in ACLs is to allow even the
> smallest company to setup bzr:// server on any spare computer. In such small
> companies there is no certified sysadmins at all, and people maintain their
> infrastructure themselves. I'm dreaming about: just install, configure
> (possible via qt-based wizard ;) and go!
>


Alexander, I think you understand the need perfectly.  (Ok, perfectly for
me, maybe not perfectly for everyone else.)  The concerns I have about
access control layers and tools is that the ones I have seen have been built
with an implicit assumption (or inflicted requirement) that the organization
has a full-time configuration control engineer.  That's a bad assumption,
and I don;t think it should be necessary.  My most unfavorite example is
ClearCase.  Admittedly, this is an extreme example.  The whole ClearCase
system projects a bureaucratic and authoritarian culture.  And this flows
down into every aspect, including access control tools which are a real pain
to learn and use effectively, given the simplicity of the goals.

To be clear, I do not think baked-in ACL has to be bad for bzr.  It could
be very good, provided it is done by people who really understand the
security requirements in a way which respects the
simple-things-should-be-easy culture of bzr.  So I've been experimenting
with ways to get the results I need with existing tools rather than push for
a feature request that I haven't fully figured out myself.  If someone wants
to take a stab at it, great!

~M
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/bazaar/attachments/20100930/978c2649/attachment.htm

More information about the bazaar mailing list