1 |
On 2014.06.03 23:02, Andreas K. Huettel wrote: |
2 |
> Am Montag, 26. Mai 2014, 14:13:32 schrieb Rich Freeman: |
3 |
> > The next Gentoo Council meeting will be on 10 Jun 2014, at 19:00 |
4 |
> UTC. |
5 |
> > |
6 |
> > Please reply to this email with any proposed agenda items. |
7 |
> |
8 |
> Here's an agenda item. For discussion at the moment, since this is |
9 |
> not |
10 |
> |
11 |
> something the council can decide on its own; we need the help of |
12 |
> Infra |
13 |
> and the |
14 |
> foundation. Hopefully it will turn into something concrete, though |
15 |
> more on the |
16 |
> lines of a GLEP or an Infra policy. Several Infra and Council members |
17 |
> have |
18 |
> contributed ideas. |
19 |
> |
20 |
> ######## |
21 |
> Create a mechanism how Gentoo developers can |
22 |
> * host non-critical services |
23 |
> * on self-provided machines or later Gentoo-provided machines |
24 |
> * visible in a subdomain of gentoo.org, |
25 |
> * which they themselves administer fully and are fully responsible |
26 |
> for |
27 |
> * outside the direct control of Infra, but with some limitations (see |
28 |
> below) |
29 |
> |
30 |
> See it as a semi-official staging area for future core services. |
31 |
> |
32 |
> The foundation is asked to consider supporting such initiatives |
33 |
> financially if |
34 |
> they are clearly in the interest of the general developer community. |
35 |
> ######## |
36 |
> |
37 |
> Why? |
38 |
> |
39 |
> The Gentoo infrastructure is administered with the help of tools like |
40 |
> cfengine |
41 |
> or puppet, designed to distribute configuration to many machines. The |
42 |
> way this |
43 |
> is set up now, fine-grained access control is not yet possible. Which |
44 |
> means |
45 |
> that someone planning deployment of a new service on an official |
46 |
> machine needs |
47 |
> to get access to the central repositories and thereby intrinsically |
48 |
> also power |
49 |
> over core, critical services such as, e.g., cvs. |
50 |
> |
51 |
> Obviously administrative access to critical services should be |
52 |
> restricted to a |
53 |
> small trusted group, and this is what Infra is. |
54 |
> |
55 |
> Any new service that does not need any elevated access permissions |
56 |
> towards |
57 |
> core critical services (example, a repoman-checker that grabs the |
58 |
> public |
59 |
> portage tree, analyzes it and generates alerts; example 2, a program |
60 |
> that |
61 |
> parses ebuild SRC_URI, checks for availability of future versions, |
62 |
> and |
63 |
> |
64 |
> displays that information on a web interface) is effectively and |
65 |
> unnecessarily |
66 |
> blocked by this architecture. |
67 |
> |
68 |
> Our admins are busy keeping the core infrastructure running and safe |
69 |
> (and they |
70 |
> are doing this very well, thank you!); it's understandable that they |
71 |
> may not |
72 |
> want to accept additional burdens. Here's the way around it. |
73 |
> |
74 |
> Many of the pieces needed are already possible. This initiative aims |
75 |
> to make a |
76 |
> package of it and advertise it. |
77 |
> |
78 |
> What limitations? |
79 |
> |
80 |
> This is mostly obvious stuff. |
81 |
> |
82 |
> * The maintainers need to take security into account |
83 |
> * Minimal/none interaction with core services (except publically |
84 |
> available |
85 |
> things) |
86 |
> * No use of infra passwords / credentials |
87 |
> * Disclaimers on the service if web-based |
88 |
> * Possibly some sort of infra access as non-privileged user required, |
89 |
> e.g. for |
90 |
> running glsa-check |
91 |
> |
92 |
> Cheers & happy discussion, |
93 |
> Andreas |
94 |
> |
95 |
> -- |
96 |
> |
97 |
> Andreas K. Huettel |
98 |
> Gentoo Linux developer |
99 |
> dilfridge@g.o |
100 |
> http://www.akhuettel.de/ |
101 |
> |
102 |
> |
103 |
|
104 |
The foundation do not need to be involved any more that they are now. |
105 |
Anyone can apply for foundation funding for a project. |
106 |
As an individual trustee, I don't see this project as any different to |
107 |
any other project that way apply for funding. |
108 |
|
109 |
-- |
110 |
Regards, |
111 |
|
112 |
Roy Bamford |
113 |
(Neddyseagoon) a member of |
114 |
elections |
115 |
gentoo-ops |
116 |
forum-mods |
117 |
trustees |