Code review comment for lp:~jml/bzr/allow-writes-change-84659

2009/7/6 Robert Collins <email address hidden>:

>> > I understand the desire behind being clear about it for "bzr serve" to
>> > bring up the http/bzr:// access. I just worry about some of the fallout.
>> >
>> > (I'm not blocking, just bringing up the discussion.)
>>
>> So where to from here?
>
> I think --allow-writes is clear and precise. I don't think we should
> change it unless the change fixes a problem greater than changing it
> will cause.
>
> AIUI the problem is one of expectation? People expecting that allowing
> writes implies some sort of authentication, and we *anticipate* that
> users are putting live, anonymous write permitting servers on the
> internet?

I think that's true.

Murphy's law (correctly stated) implies and experience confirms that
if it is possible to offer anonymous write access to the whole
internet, people will do it. I feel an obligation to at least reduce
the occurrence of problems arising from it.

sshd sets some environment variables for the subprocess. On a brief
inspection this doesn't seem to help us distinguish bzr started by
"ssh host bzr --inet" and "ssh host" then restarting inetd from the
shell, but there may be more detail or it might work as a partial
protection.

Compatibility with existing clients is important.

We can take a step forward by saying that at least for server mode,
listening on --http or as a daemon, you need a special step to allow
write access. This shouldn't break normal use, and people with a
special use can think about what they want. Robert has a point with
something like a "--auth" option indicating what authentication is
acceptable.

--
Martin <http://launchpad.net/~mbp/>