From: "Andreas K. Huettel" <dilfridge@gentoo.org>
To: gentoo-project@lists.gentoo.org
Subject: [gentoo-project] Re: [gentoo-dev-announce] Call For Agenda Items - 10 Jun 2014
Date: Wed, 4 Jun 2014 00:02:59 +0200 [thread overview]
Message-ID: <201406040003.05726.dilfridge@gentoo.org> (raw)
In-Reply-To: <CAGfcS_nydQyxTBw1h0J37o2k7hTRDCdEyy=z=f02geLtauy++Q@mail.gmail.com>
[-- Attachment #1: Type: Text/Plain, Size: 2986 bytes --]
Am Montag, 26. Mai 2014, 14:13:32 schrieb Rich Freeman:
> The next Gentoo Council meeting will be on 10 Jun 2014, at 19:00 UTC.
>
> Please reply to this email with any proposed agenda items.
Here's an agenda item. For discussion at the moment, since this is not
something the council can decide on its own; we need the help of Infra and the
foundation. Hopefully it will turn into something concrete, though more on the
lines of a GLEP or an Infra policy. Several Infra and Council members have
contributed ideas.
########
Create a mechanism how Gentoo developers can
* host non-critical services
* on self-provided machines or later Gentoo-provided machines
* visible in a subdomain of gentoo.org,
* which they themselves administer fully and are fully responsible for
* outside the direct control of Infra, but with some limitations (see below)
See it as a semi-official staging area for future core services.
The foundation is asked to consider supporting such initiatives financially if
they are clearly in the interest of the general developer community.
########
Why?
The Gentoo infrastructure is administered with the help of tools like cfengine
or puppet, designed to distribute configuration to many machines. The way this
is set up now, fine-grained access control is not yet possible. Which means
that someone planning deployment of a new service on an official machine needs
to get access to the central repositories and thereby intrinsically also power
over core, critical services such as, e.g., cvs.
Obviously administrative access to critical services should be restricted to a
small trusted group, and this is what Infra is.
Any new service that does not need any elevated access permissions towards
core critical services (example, a repoman-checker that grabs the public
portage tree, analyzes it and generates alerts; example 2, a program that
parses ebuild SRC_URI, checks for availability of future versions, and
displays that information on a web interface) is effectively and unnecessarily
blocked by this architecture.
Our admins are busy keeping the core infrastructure running and safe (and they
are doing this very well, thank you!); it's understandable that they may not
want to accept additional burdens. Here's the way around it.
Many of the pieces needed are already possible. This initiative aims to make a
package of it and advertise it.
What limitations?
This is mostly obvious stuff.
* The maintainers need to take security into account
* Minimal/none interaction with core services (except publically available
things)
* No use of infra passwords / credentials
* Disclaimers on the service if web-based
* Possibly some sort of infra access as non-privileged user required, e.g. for
running glsa-check
Cheers & happy discussion,
Andreas
--
Andreas K. Huettel
Gentoo Linux developer
dilfridge@gentoo.org
http://www.akhuettel.de/
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 966 bytes --]
next prev parent reply other threads:[~2014-06-03 22:03 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAGfcS_nydQyxTBw1h0J37o2k7hTRDCdEyy=z=f02geLtauy++Q@mail.gmail.com>
2014-05-29 13:56 ` [gentoo-project] Re: [gentoo-dev-announce] Call For Agenda Items - 10 Jun 2014 Ulrich Mueller
2014-05-29 19:03 ` Andreas K. Huettel
2014-05-29 21:45 ` [gentoo-project] Maximum number of EAPIs in tree (was: Call For Agenda Items - 10 Jun 2014) Ulrich Mueller
2014-05-29 23:27 ` Rich Freeman
2014-05-30 0:11 ` Jeroen Roovers
2014-05-30 1:31 ` Rich Freeman
2014-05-30 1:33 ` Ulrich Mueller
2014-06-05 16:06 ` [gentoo-project] Re: [gentoo-dev-announce] Call For Agenda Items - 10 Jun 2014 Richard Yao
2014-06-05 16:42 ` Brian Dolbec
2014-06-05 16:55 ` Rich Freeman
2014-06-05 16:56 ` Tom Wijsman
2014-06-03 22:02 ` Andreas K. Huettel [this message]
2014-06-07 17:35 ` Roy Bamford
2014-06-07 20:05 ` Rich Freeman
[not found] ` <CAGfcS_nkawNaJ58cFh1bezQOWe_kNczDfkBC=J0+zEu2chMg4Q@mail.gmail.com>
2014-06-05 6:10 ` [gentoo-project] [gentoo-dev-announce] " Ulrich Mueller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201406040003.05726.dilfridge@gentoo.org \
--to=dilfridge@gentoo.org \
--cc=gentoo-project@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox