On Fri, Dec 05, 2003 at 01:51:54AM +0000, James Troup wrote:
> Where can I login?
> ------------------
>
> There's been a fair bit of talk post-compromise about restricting
> access to machines running (core) services. At the moment, the only
> thing I'm (personally) doing is not enabling non-services accounts on
> auric (ftp-master) and klecker (security, non-US, qa, nm, www-master)
> immediately. Obviously, it's useful for random developers to have
> access to e.g. the postgres database of the archive, so the current
> plan if the restricted nature of auric becomes permanent is to mirror
> the system daily to another box that would be unrestricted. [This
> would have the added bonus of giving us a hot spare for
> disasters/arson attacks etc.]
>
> Basically the whole issue of what, if anything, to restrict is still
> up in the air. I'm looking for input/opinions/discussion on this. If
> you need access to the machines running the archives, please tell me
> (or probably better yet, start a thread on debian-devel) why.
It makes a lot of sense to restrict auric permanently and have an
up-to-date mirror for general access purposes. The issues I can think
of are:
- how to run the DELAYED queue (to give the possibility of deleting
things from it or to see what's in it)
- how to give developers the possibility of seeing what's in the queue
(daily rsyncs are not good enough for this; I've frequently pulled
packages from the accepted queue to check that bug fixes have been
correctly applied)
Julian
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Julian Gilbey, website: http://www.polya.uklinux.net/
Debian GNU/Linux Developer, see: http://people.debian.org/~jdg/
Visit http://www.thehungersite.com/ to help feed the hungry
