launchpad-dev team mailing list archive

[Martin Pool <mbp@xxxxxxxxxxxxx>]

On 16 September 2011 12:51, Michael Hudson-Doyle
<michael.hudson@xxxxxxxxxx> wrote:
> Hi all,
>
> While thinking about something else, I mostly accidentally implemented a
> potentially interesting feature for Launchpad, anonymous read-only ssh
> access to Launchpad:
>
> https://code.launchpad.net/~mwhudson/launchpad/anon-ssh-hack/+merge/75442

That's awesome, and an impressively small patch.  Thanks for jfdi.

A few thoughts:
 * this would be (I think 'should') be behind a feature flag - it is a
perfect example of something we might want to deploy and then later
turn off
 * also, I think logging when people connect so that we can count it
would be well worth while (or perhaps it's handled at a different
level)

Those should both be a matter of just a few lines.

Much as the web is moving towards "ssl everywhere" I think doing
everything over SSH has some substantial advantages: mitm protection,
and probably more often important protection against non-malicious but
clueless intervention by http proxies or other firewalls, and also an
integrity check against packet corruption. (Though, if any of those
things do happen, it can be confusing for the user, but that's out of
scope.)  So I would be happy with this rather than bzr+http or
bzr+tcp.

There is also a bit of a thing that people can now anonymously make us
spend a fair amount of cpu effort, and in the event there is an
exploitable attack in the smart server, they can get at it without
creating an account.  Obviously creating an account is pretty easy, so
perhaps it doesn't matter.

This also needs some ux consideration about when/how people use this,
or configure bzr to use it.  But, I don't think that needs to block
this.  I can imagine this would be useful even just for cases where
people very specifically configure it, like for a CI server.

m