[Modules] finding the little buggers

Hans-Martin Mosner hmm at heeg.de
Fri Aug 17 13:45:34 UTC 2001 

At the risk of repeating myself over and over...

Peter Crowther wrote:
> 
> > From: Andrew P. Black [mailto:black at cse.ogi.edu]
> [...]
> > How about a
> > single repository for _all_ Squeak Packages.
> [...]
How about using the SCAN repository or something similar? Look at http://squeak.heeg.de:8080/ which has not only the complete source code but is an actual running SCAN server.
> 
> Who manages it?
SCAN allos multiple repositories which can synchronize with each other, so there it no single manager. As long as one server is up, you can access it.
> 
> Who maintains it?
Each server is controlled by the person having control over the machine it's running on. http://squeak.heeg.de:8080/ is controlled by me, but for example http://scan.squeakland.org/ could be controlled by someone from SqC, and others by still other people.
Nobody as a single person controls what gets into the repository; this is something that only its users do.
> 
> Who handles security on it?  Who can add packages?  Rephrased: How do I know
> whether or not I can trust a package that is hosted on it?
SCAN uses the Digital Signature Algorithm to sign packages.
Any SCAN user can add packages after creating a user id within SCAN. Mine, for example, is at http://squeak.heeg.de:8080/9YS24Y2F16MG8QG8IEAVXSVDRXP928B
Since the private part of every application author's public key pair is only stored on his/her client machine, and the validity of signatures is checked on the machine of the application user, nobody in the can tamper with packages.
However, you need some form of establishing a link between a SCAN user id and an actual person, and then you need to decide for yourself whether you would trust code written (or signed) by that person. But that's an entirely different matter.
> 
> Where do I put internal packages that are only relevant to my organisation?
Run your own SCAN repository server, and create a SCAN distribution for your organization which includes only users from your organization. The SCAN repository synchronization protocol includes a user verification step based on DSA, so no outside person could access your private packages even if they have network access to it. For example, I have a distribution for my private stuff at http://squeak.heeg.de:8080/MYNVDMVHPNMNCOCGBUCMYFZY43L9B63 which allows access only from my servers (and one Test User which I created for testing only).

It's all there, just take it.

Cheers,
Hans-Martin

More information about the Squeak-dev mailing list