#1338 closed task (fixed)
Hide contributor agreements, visible through Apache/SVN
| Reported by: | Jeff McKenna | Owned by: | strk |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | SysAdmin | Keywords: | |
| Cc: | jachym, robe, sac@… |
Description
(Jachym please speak up to help clarify)
- contributor license agreements are stored in SVN (http://svn.osgeo.org/osgeo/board/contribution_agreements/)
- however these files can contain private information (signatures, company names, etc.)
- we must somehow not allow SVN/Apache to display those files in the browser
Change History (9)
comment:1 by , 10 years ago
comment:2 by , 7 years ago
| Cc: | added |
|---|
This is still an issue. Despite there being an .htaccess file (which is also visible). It shouldn't take much to fix. Regina: do you want to give this a try ?
comment:3 by , 7 years ago
strk I'm not sure how to fix this. The svn repo is publically visible. I don't need to be logged into osgeo to see the folder above, I can just browse to it.
I don't think I have administrative rights on svn server to do this. I don't even know where server is housed. It would seem we'd need to remove access of the contribution_agreements in svn from public and make it only accessible to board members or others that have commit rights to the board folder.
That said I don't know how the svn feeds the website. This folder shouldn't even be pushing to the website.
comment:4 by , 7 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
I've fixed this with https://git.osgeo.org/gogs/sac/tracsvn-apache-config/commit/9da4123a334b33b825c548c19a59694f43d33021
All .pdf files now require login by use in the osgeo svn group. I'm not in that group, looks like, can anyone who is test this ?
comment:5 by , 7 years ago
| Cc: | added |
|---|
Re-adding SAC list in Cc as it was previously getting the mail as being the owner
comment:6 by , 7 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
I tested and can see the list of PDFs when not logged in but can't download them.
If I log in then I can download the files as well.
I can download the contributors sqlite file as an anonymous user, but that sounds like that's what they wanted.
Closing this out.
comment:8 by , 7 years ago
Yes also tested fetching via svn and I can read the files from there logged in. I forgot how to wipeout my credentials so haven't tested anonymous checkout.
comment:9 by , 7 years ago
Guys,
I just moved agreements from svn to git https://git.osgeo.org/gogs/Board/cla/
if I understand correctly, they should not be accessible from the web
sorry, it took so long
J
During our discussion about "creating map with OSGeo contributors" the privacy question was raised and it was pointed out, that the agreements do contain potentially sensitive information. I agree, that exposing this SVN directory directly via apache should not be.
The blocking could be done either using .htaccess file or on apache level.
IMHO only PDFs should be blocked. The sqlite database contains only project names and contributor names.