[Fedora-infrastructure-list] Security, access and the config CVS
Mike McGrath
mmcgrath at fedoraproject.org
Sat Jul 29 21:17:32 UTC 2006
So while dgilmore was rebuilding the builders this weekend I realized
a couple of things:
We need to re-think the cvs situation. Not only have the configs
become woefully out of date with whats on the actual builders, but
upgrades can become difficult when moving from one OS to another
because of incompatibilities. I don't know that we should get rid of
all of it just re-think what goes in it or try to simplify it a bit.
Maybe write a script that runs daily and compares whats in CVS with
what's live? Not perfect but better than what we have. Regardless of
what we do with it we need to figure out where to put CVS because not
everyone has access to lockbox.
I've also been giving more thought to the security/access issue.
While re-doing the accounting system we need to think about ways to
increase security while lowering the barrier for entry to help support
Fedora's infrastructure. We can add much of this to the current
accounting system for testing for when the new system gets built but
I'd like input on this from current infrastructure people and those
that aren't as active but are interested in participating more.
Which brings me to restarting the topic of
officers/leaders/sponsors/whatever. By creating more fine-grained
security on the servers there is less of a need for root access on
those machines. People interested in working on mail, will be in a
mail group and have access to it. Nagios, web, proxy, builders, cvs,
etc, all come to mind of things that can be administered without full
root access. So the question is how do we determine who has root to
what boxes? Should we pick some leaders of Red Hat engineers and
community members to have full root? If so should it be of a set
number, similar to the FESCo? I lean towards this setup because it
allows more people to participate sooner (without having to prove
themselves as much) but it will keep those with full root access to
the box low.
Lot of stuff for one email but it would be nice to get a lot of this
figured out before the next meeting so it doesn't run too long :-D
-Mike
More information about the Fedora-infrastructure-list
mailing list