| 1 |
On 2014.06.03 23:02, Andreas K. Huettel wrote: |
| 2 |
> Am Montag, 26. Mai 2014, 14:13:32 schrieb Rich Freeman: |
| 3 |
> > The next Gentoo Council meeting will be on 10 Jun 2014, at 19:00 |
| 4 |
> UTC. |
| 5 |
> > |
| 6 |
> > Please reply to this email with any proposed agenda items. |
| 7 |
> |
| 8 |
> Here's an agenda item. For discussion at the moment, since this is |
| 9 |
> not |
| 10 |
> |
| 11 |
> something the council can decide on its own; we need the help of |
| 12 |
> Infra |
| 13 |
> and the |
| 14 |
> foundation. Hopefully it will turn into something concrete, though |
| 15 |
> more on the |
| 16 |
> lines of a GLEP or an Infra policy. Several Infra and Council members |
| 17 |
> have |
| 18 |
> contributed ideas. |
| 19 |
> |
| 20 |
> ######## |
| 21 |
> Create a mechanism how Gentoo developers can |
| 22 |
> * host non-critical services |
| 23 |
> * on self-provided machines or later Gentoo-provided machines |
| 24 |
> * visible in a subdomain of gentoo.org, |
| 25 |
> * which they themselves administer fully and are fully responsible |
| 26 |
> for |
| 27 |
> * outside the direct control of Infra, but with some limitations (see |
| 28 |
> below) |
| 29 |
> |
| 30 |
> See it as a semi-official staging area for future core services. |
| 31 |
> |
| 32 |
> The foundation is asked to consider supporting such initiatives |
| 33 |
> financially if |
| 34 |
> they are clearly in the interest of the general developer community. |
| 35 |
> ######## |
| 36 |
> |
| 37 |
> Why? |
| 38 |
> |
| 39 |
> The Gentoo infrastructure is administered with the help of tools like |
| 40 |
> cfengine |
| 41 |
> or puppet, designed to distribute configuration to many machines. The |
| 42 |
> way this |
| 43 |
> is set up now, fine-grained access control is not yet possible. Which |
| 44 |
> means |
| 45 |
> that someone planning deployment of a new service on an official |
| 46 |
> machine needs |
| 47 |
> to get access to the central repositories and thereby intrinsically |
| 48 |
> also power |
| 49 |
> over core, critical services such as, e.g., cvs. |
| 50 |
> |
| 51 |
> Obviously administrative access to critical services should be |
| 52 |
> restricted to a |
| 53 |
> small trusted group, and this is what Infra is. |
| 54 |
> |
| 55 |
> Any new service that does not need any elevated access permissions |
| 56 |
> towards |
| 57 |
> core critical services (example, a repoman-checker that grabs the |
| 58 |
> public |
| 59 |
> portage tree, analyzes it and generates alerts; example 2, a program |
| 60 |
> that |
| 61 |
> parses ebuild SRC_URI, checks for availability of future versions, |
| 62 |
> and |
| 63 |
> |
| 64 |
> displays that information on a web interface) is effectively and |
| 65 |
> unnecessarily |
| 66 |
> blocked by this architecture. |
| 67 |
> |
| 68 |
> Our admins are busy keeping the core infrastructure running and safe |
| 69 |
> (and they |
| 70 |
> are doing this very well, thank you!); it's understandable that they |
| 71 |
> may not |
| 72 |
> want to accept additional burdens. Here's the way around it. |
| 73 |
> |
| 74 |
> Many of the pieces needed are already possible. This initiative aims |
| 75 |
> to make a |
| 76 |
> package of it and advertise it. |
| 77 |
> |
| 78 |
> What limitations? |
| 79 |
> |
| 80 |
> This is mostly obvious stuff. |
| 81 |
> |
| 82 |
> * The maintainers need to take security into account |
| 83 |
> * Minimal/none interaction with core services (except publically |
| 84 |
> available |
| 85 |
> things) |
| 86 |
> * No use of infra passwords / credentials |
| 87 |
> * Disclaimers on the service if web-based |
| 88 |
> * Possibly some sort of infra access as non-privileged user required, |
| 89 |
> e.g. for |
| 90 |
> running glsa-check |
| 91 |
> |
| 92 |
> Cheers & happy discussion, |
| 93 |
> Andreas |
| 94 |
> |
| 95 |
> -- |
| 96 |
> |
| 97 |
> Andreas K. Huettel |
| 98 |
> Gentoo Linux developer |
| 99 |
> dilfridge@g.o |
| 100 |
> http://www.akhuettel.de/ |
| 101 |
> |
| 102 |
> |
| 103 |
|
| 104 |
The foundation do not need to be involved any more that they are now. |
| 105 |
Anyone can apply for foundation funding for a project. |
| 106 |
As an individual trustee, I don't see this project as any different to |
| 107 |
any other project that way apply for funding. |
| 108 |
|
| 109 |
-- |
| 110 |
Regards, |
| 111 |
|
| 112 |
Roy Bamford |
| 113 |
(Neddyseagoon) a member of |
| 114 |
elections |
| 115 |
gentoo-ops |
| 116 |
forum-mods |
| 117 |
trustees |
Archives