[SAC] [OSGeo] #1338: Hide contributor agreements, visible through Apache/SVN

OSGeoTrac · May 16, 2014, 8:35pm

#1338: Hide contributor agreements, visible through Apache/SVN
---------------------------+------------------------------------------------
Reporter: jmckenna | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Keywords:
---------------------------+------------------------------------------------
(Jachym please speak up to help clarify)

- contributor license agreements are stored in SVN
(http://svn.osgeo.org/osgeo/board/contribution_agreements/)

- however these files can contain private information (signatures,
company names, etc.)

- we must somehow not allow SVN/Apache to display those files in the
browser

--
Ticket URL: <http://trac.osgeo.org/osgeo/ticket/1338>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · May 17, 2014, 1:07pm

#1338: Hide contributor agreements, visible through Apache/SVN
---------------------------+------------------------------------------------
Reporter: jmckenna | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Keywords:
---------------------------+------------------------------------------------

Comment(by jachym):

During our discussion about "creating map with OSGeo contributors" the
privacy question was raised and it was pointed out, that the agreements do
contain potentially sensitive information. I agree, that exposing this SVN
directory directly via apache should not be.

The blocking could be done either using .htaccess file or on apache level.

IMHO only PDFs should be blocked. The sqlite database contains only
project names and contributor names.

--
Ticket URL: <http://trac.osgeo.org/osgeo/ticket/1338#comment:1>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · September 27, 2017, 8:00am

#1338: Hide contributor agreements, visible through Apache/SVN
---------------------------+--------------------
Reporter: Jeff McKenna | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+--------------------
Changes (by strk):

* cc: robe (added)

Comment:

This is still an issue. Despite there being an .htaccess file (which is
also visible).
It shouldn't take much to fix.
Regina: do you want to give this a try ?

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1338#comment:2>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · September 28, 2017, 4:49am

#1338: Hide contributor agreements, visible through Apache/SVN
---------------------------+--------------------
Reporter: Jeff McKenna | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+--------------------

Comment (by robe):

strk I'm not sure how to fix this. The svn repo is publically visible. I
don't need to be logged into osgeo to see the folder above, I can just
browse to it.

I don't think I have administrative rights on svn server to do this. I
don't even know where server is housed. It would seem we'd need to remove
access of the contribution_agreements in svn from public and make it only
accessible to board members or others that have commit rights to the board
folder.

That said I don't know how the svn feeds the website. This folder
shouldn't even be pushing to the website.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1338#comment:3>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · September 28, 2017, 5:49am

#1338: Hide contributor agreements, visible through Apache/SVN
---------------------------+-----------------------
Reporter: Jeff McKenna | Owner: strk
Type: task | Status: assigned
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+-----------------------
Changes (by strk):

* owner: sac@… => strk
* status: new => assigned

Comment:

I've fixed this with
https://git.osgeo.org/gogs/sac/tracsvn-apache-
config/commit/9da4123a334b33b825c548c19a59694f43d33021

All .pdf files now require login by use in the osgeo svn group.
I'm not in that group, looks like, can anyone who is test this ?

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1338#comment:4>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · September 28, 2017, 5:50am

#1338: Hide contributor agreements, visible through Apache/SVN
---------------------------+-----------------------
Reporter: Jeff McKenna | Owner: strk
Type: task | Status: assigned
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+-----------------------
Changes (by strk):

* cc: sac@… (added)

Comment:

Re-adding SAC list in Cc as it was previously getting the mail as being
the owner

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1338#comment:5>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · September 28, 2017, 6:31am

#1338: Hide contributor agreements, visible through Apache/SVN
---------------------------+---------------------
Reporter: Jeff McKenna | Owner: strk
Type: task | Status: closed
Priority: normal | Milestone:
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+---------------------
Changes (by robe):

* status: assigned => closed
* resolution: => fixed

Comment:

I tested and can see the list of PDFs when not logged in but can't
download them.

If I log in then I can download the files as well.

I can download the contributors sqlite file as an anonymous user, but that
sounds like that's what they wanted.

Closing this out.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1338#comment:6>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · September 28, 2017, 6:43am

#1338: Hide contributor agreements, visible through Apache/SVN
---------------------------+---------------------
Reporter: Jeff McKenna | Owner: strk
Type: task | Status: closed
Priority: normal | Milestone:
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+---------------------

Comment (by strk):

thanks for testing, Regina. Did you also try fetch from SVN ?

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1338#comment:7>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · September 28, 2017, 7:48am

#1338: Hide contributor agreements, visible through Apache/SVN
---------------------------+---------------------
Reporter: Jeff McKenna | Owner: strk
Type: task | Status: closed
Priority: normal | Milestone:
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+---------------------

Comment (by robe):

Yes also tested fetching via svn and I can read the files from there
logged in. I forgot how to wipeout my credentials so haven't tested
anonymous checkout.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1338#comment:8>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · September 29, 2017, 2:48pm

#1338: Hide contributor agreements, visible through Apache/SVN
---------------------------+---------------------
Reporter: Jeff McKenna | Owner: strk
Type: task | Status: closed
Priority: normal | Milestone:
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+---------------------

Comment (by jachym):

Guys,

I just moved agreements from svn to git
https://git.osgeo.org/gogs/Board/cla/

if I understand correctly, they should not be accessible from the web

sorry, it took so long

J

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1338#comment:9>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

strk · September 29, 2017, 3:26pm

Confirmed, the Gogs one are not visible to the unauthorized user.