public inbox for gentoo-project@lists.gentoo.org
 help / color / mirror / Atom feed
From: "Andreas K. Huettel" <dilfridge@gentoo.org>
To: gentoo-project@lists.gentoo.org
Subject: [gentoo-project] Re: [gentoo-dev-announce] Call For Agenda Items - 10 Jun 2014
Date: Wed, 4 Jun 2014 00:02:59 +0200	[thread overview]
Message-ID: <201406040003.05726.dilfridge@gentoo.org> (raw)
In-Reply-To: <CAGfcS_nydQyxTBw1h0J37o2k7hTRDCdEyy=z=f02geLtauy++Q@mail.gmail.com>

[-- Attachment #1: Type: Text/Plain, Size: 2986 bytes --]

Am Montag, 26. Mai 2014, 14:13:32 schrieb Rich Freeman:
> The next Gentoo Council meeting will be on 10 Jun 2014, at 19:00 UTC.
> 
> Please reply to this email with any proposed agenda items.

Here's an agenda item. For discussion at the moment, since this is not 
something the council can decide on its own; we need the help of Infra and the 
foundation. Hopefully it will turn into something concrete, though more on the 
lines of a GLEP or an Infra policy. Several Infra and Council members have 
contributed ideas.

########
Create a mechanism how Gentoo developers can 
* host non-critical services 
* on self-provided machines or later Gentoo-provided machines
* visible in a subdomain of gentoo.org, 
* which they themselves administer fully and are fully responsible for
* outside the direct control of Infra, but with some limitations (see below)

See it as a semi-official staging area for future core services.

The foundation is asked to consider supporting such initiatives financially if 
they are clearly in the interest of the general developer community.
########

Why?

The Gentoo infrastructure is administered with the help of tools like cfengine 
or puppet, designed to distribute configuration to many machines. The way this 
is set up now, fine-grained access control is not yet possible. Which means 
that someone planning deployment of a new service on an official machine needs 
to get access to the central repositories and thereby intrinsically also power 
over core, critical services such as, e.g., cvs. 

Obviously administrative access to critical services should be restricted to a 
small trusted group, and this is what Infra is. 

Any new service that does not need any elevated access permissions towards 
core critical services (example, a repoman-checker that grabs the public 
portage tree, analyzes it and generates alerts; example 2, a program that 
parses ebuild SRC_URI, checks for availability of future versions, and 
displays that information on a web interface) is effectively and unnecessarily 
blocked by this architecture. 

Our admins are busy keeping the core infrastructure running and safe (and they 
are doing this very well, thank you!); it's understandable that they may not 
want to accept additional burdens. Here's the way around it. 

Many of the pieces needed are already possible. This initiative aims to make a 
package of it and advertise it.

What limitations?

This is mostly obvious stuff.

* The maintainers need to take security into account
* Minimal/none interaction with core services (except publically available 
things)
* No use of infra passwords / credentials
* Disclaimers on the service if web-based
* Possibly some sort of infra access as non-privileged user required, e.g. for 
running glsa-check

Cheers & happy discussion, 
Andreas

-- 

Andreas K. Huettel
Gentoo Linux developer 
dilfridge@gentoo.org
http://www.akhuettel.de/


[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 966 bytes --]

  parent reply	other threads:[~2014-06-03 22:03 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CAGfcS_nydQyxTBw1h0J37o2k7hTRDCdEyy=z=f02geLtauy++Q@mail.gmail.com>
2014-05-29 13:56 ` [gentoo-project] Re: [gentoo-dev-announce] Call For Agenda Items - 10 Jun 2014 Ulrich Mueller
2014-05-29 19:03 ` Andreas K. Huettel
2014-05-29 21:45   ` [gentoo-project] Maximum number of EAPIs in tree (was: Call For Agenda Items - 10 Jun 2014) Ulrich Mueller
2014-05-29 23:27     ` Rich Freeman
2014-05-30  0:11       ` Jeroen Roovers
2014-05-30  1:31         ` Rich Freeman
2014-05-30  1:33       ` Ulrich Mueller
2014-06-05 16:06   ` [gentoo-project] Re: [gentoo-dev-announce] Call For Agenda Items - 10 Jun 2014 Richard Yao
2014-06-05 16:42     ` Brian Dolbec
2014-06-05 16:55       ` Rich Freeman
2014-06-05 16:56     ` Tom Wijsman
2014-06-03 22:02 ` Andreas K. Huettel [this message]
2014-06-07 17:35   ` Roy Bamford
2014-06-07 20:05     ` Rich Freeman
     [not found] ` <CAGfcS_nkawNaJ58cFh1bezQOWe_kNczDfkBC=J0+zEu2chMg4Q@mail.gmail.com>
2014-06-05  6:10   ` [gentoo-project] [gentoo-dev-announce] " Ulrich Mueller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201406040003.05726.dilfridge@gentoo.org \
    --to=dilfridge@gentoo.org \
    --cc=gentoo-project@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox