Presently we have nasty permissions tangles.  I propose (and plan to
appropriate/beg/borrow/steal hardware to do this):

- Seperate repository holding machine. (a raid5 system)

- Seperate web server machine. (a raid5 system)

- Seperate home directory and file storage NFS server, with no root access
  over NFS and nodev,nosuid.

- freefall and ref* machines will have little or no local storage
  and will NFS mount the homedirs (see no root write access, nosuid etc)
  This goes for things like builder etc as well.

- Seperate local mail system that people who cannot or will not forward
  their email elsewhere and/or pop over a ssh tunnel can still get their
  freebsd.org email.

(machines or roles that I dont mention stay the same)

Of note:
- committers and outside third parties will only have logins on freefall
  and ref*.
- freefall/ref*/www are considered "untrusted" and have *NO* access to any
  other backend machines.  Effectively we treat them as though they have
  already been broken into, therefore minimizing any effects of a
  compromised committer account etc.
- The web server is in a seperate sealed box with *no* access to anything
  else.  Each time it gets rooted, we can blow it away and start from
  scratch if needed.  If it gets broken into, the worst that can be done
  is to deface the web pages - the repo and homedirs will be unreachable.
- Because we consider the freefall/ref*/web/ machines as already untrustable,
  we stop allowing them to trampoline to the other machines (in case ssh
  gets trojaned or password sniffed).  Access to the backend machines
  for admins is via direct connect only, not via another freebsd machine.
- commits will be done via a restricted shell type system where the only
  command it can run is 'cvs'.  Kinda like the old anoncvs stuff.  It will
  not be possible for a normal user to ssh in.  The only other access is
  cvsupd on it exporting to a readonly copy on freefall and cvsupmaster.
- In particular, the 'everybody has a login everywhere' concept has got
  to go in order for damage control (eg: when wosch's account gets
  compromised next time) to be reasonable.
- people.freebsd.org becomes a simple static-only http server with no
  cgi's or anything.  It should be *much* harder to break into as a
  result.
- the committer machines get stripped back to bare-bones again.  Only
  necessary 3rd party stuff gets installed.

The worst case scenarios are not too bad.  Suppose a commiter gets
compromised via a connection hijack..  The worst they can do is get into
freefall and the ref machines.  They could commit something but that will
get spotted pretty quickly, and we will have a tamper-proof audit trail
(people's commit mail distributed around the world) of what happened.
Even if freefall/ref* etc get root compromised, the worst that can happen
is other committer files get accessed.  The repo and what gets distributed
should be safe (aside from the visible commits).

We have been pretty lucky with breakins so far.  People could really have
gone to town with us and given us a serious black-eye by compromising the
source tree behind the scenes.  We cannot depend on luck to keep us
safe.

Yes, there are quite a few loose ends to take care of (gnats, web
build distribution, the evil http reverse proxies etc), but nothing
impossible to fix/work around.

In particular, we can arrange to have stuff read-only replicated to
places that freefall can access (eg: mailing list archives, cvs repo)
directly but without exposing those services to potentially hostile
users.