From: Rich Freeman <rich0@gentoo.org>
To: gentoo-dev <gentoo-dev@lists.gentoo.org>
Subject: Re: [gentoo-dev] Re: stable-bot is down. Temporary? Forever? Can we have a contacts page for it?
Date: Tue, 8 Oct 2019 08:22:32 -0400 [thread overview]
Message-ID: <CAGfcS_ny4A_noohJfH2XWWE1x5BMVa1zYbw6Na30XU4dBh4hDw@mail.gmail.com> (raw)
In-Reply-To: <4e4819ce-84e5-8730-da43-177e1219b45e@gentoo.org>
On Tue, Oct 8, 2019 at 7:57 AM Michael Palimaka <kensington@gentoo.org> wrote:
>
> On 10/8/19 7:21 AM, Andreas K. Huettel wrote:
> > In any case, since many people *do* rely on it, maybe we should declare it
> > official? [+]
> >
> > And, if that's OK with both of you, move it onto infra hardware?
> >
> > Happy to sponsor both for the next council meeting agenda.
> >
> >
> > [+] At some point the one remaining whiner doesnt count anymore.
> >
>
> In the past, infra has been understandably hesitant to take on new
> services due to staffing issues.
>
> Additionally, I understand that the current infra design does not easily
> allow granular access control, preventing non-infra members from easily
> performing maintenance on individual services.
>
> Has this situation changed? I doubt infra want to take responsibility
> for the bot, and I don't fancy the hassle of trying to find people to
> poke things on my behalf.
>
IMO we should have a few tiers:
1. Absolutely core stuff that infra has to run (authentication, LDAP,
maybe some services, etc).
2. Community-run stuff that is FOSS, with public config tracking
(minus passwords/etc), and reasonably good docs.
3. Community-run stuff that is the wild west.
IMO having a service catalog that includes all of this stuff is
beneficial, with clear indications as to which tier each thing is in
and who to contact with issues.
Depending on #1-2 shouldn't really be a problem. #3 can be a
playground for experimentation but shouldn't be something we really
depend on for core workflow. To mitigate the risk of #2 we could have
exercises to clone services following docs/etc. If anything #2 has
the potential to be more reliable than #1 if it gets enough attention
(though there is no reason our internal services couldn't also be made
easy-to-replicate).
I think the issue here is that we don't really have any standards for
#2, but it is clear that this particular bot is intended to meet those
requirements but doesn't quite do so today.
I think this is a compromise that could help us focus our infra
resources where they're needed most, with some separation of concerns.
Ideally we should also make it possible via single-sign-on
technologies to leverage infra's authentication services for stuff in
tier 2, and maybe tier 3. Biggest risk is phishing if somebody spoofs
a sign-on page.
--
Rich
next prev parent reply other threads:[~2019-10-08 12:22 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-26 7:28 [gentoo-dev] stable-bot is down. Temporary? Forever? Can we have a contacts page for it? Sergei Trofimovich
2019-10-02 15:43 ` Matt Turner
2019-10-03 19:32 ` Robin H. Johnson
2019-10-04 3:09 ` bman
2019-10-04 11:30 ` Mike Gilbert
2019-10-07 11:29 ` [gentoo-dev] " Michael Palimaka
2019-10-07 19:11 ` Robin H. Johnson
2019-10-07 20:21 ` Andreas K. Huettel
2019-10-08 11:57 ` Michael Palimaka
2019-10-08 12:22 ` Rich Freeman [this message]
2019-10-08 15:46 ` Alec Warner
2019-10-07 11:27 ` Michael Palimaka
2019-12-24 12:19 ` Sergei Trofimovich
2019-12-06 16:15 ` [gentoo-dev] " Matt Turner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGfcS_ny4A_noohJfH2XWWE1x5BMVa1zYbw6Na30XU4dBh4hDw@mail.gmail.com \
--to=rich0@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox