Re: Report from DSA Team Sprint in Oslo

To: Debian Project <debian-project@lists.debian.org>
Subject: Re: Report from DSA Team Sprint in Oslo
From: Tollef Fog Heen <tfheen@err.no>
Date: Tue, 20 Mar 2012 09:06:50 +0100
Message-id: <87limvr90l.fsf@qurzaw.varnish-software.com>
Mail-followup-to: debian-project@lists.debian.org
In-reply-to: <1332227239.9203.6.camel@scapa> (Yves-Alexis Perez's message of "Tue, 20 Mar 2012 08:07:19 +0100")
References: <20120320012316.GA19506@emyr.net> <1332227239.9203.6.camel@scapa>

]] Yves-Alexis Perez 

> You don't speak at all of the virtualization solution. Afair xen is
> currently already used on part of the infrastructure. Is it the
> preferred choice? Did you consider the use of containers / “lightweight
> virtualization”?

We're mostly using KVM nowadays and I think we're likely to continue
down that path.  Containers are interesting, but, from my very cursory
exploration of them, they are where full VMs were a few years back and
probably need a bit more maturing.

> > User and Group Management
> > =========================
> > 
> > Debian has, approximately, 50 000 shell accounts [4].  We believe most
> > of these are unused and would therefore like to disable those that are.
> > The goal is to reduce the our exposure and not to take away anybody's
> > privileges.  We will monitor shell account activity in order to identify
> > and disable shell accounts that have been unused for a significant
> > amount of time (months).  We will extend ud-ldap to allow users to
> > easily and quickly re-enable their shell accounts.
> 
> So that means something like a signed mail based “shell-knocking”? DD
> would need to send a gpg-signed mail to (re)enable a shell on a chosen
> machine before he can use it?

That's one possible way, we might also make it available on the LDAP
update web form.  The exact details have not been worked out.

> > Similarly, there is currently no mechanism which ensures that people
> > only have the group memberships which they are using.  We would like to
> > implement a system which will require users to periodically confirm
> > their group memberships.  Like the shell accounts, the goal is to reduce
> > our exposure, not to take away anybody's privileges.
> 
> Shouldn't the various teams handling the group take care of managing
> them? Do they currently fail at that?

I think we can say that yes, they generally fail at asking for people to
be removed from groups.  I'm still a member of webwml even though I
don't think I've committed anything there since 2007 or so.  I'm also
apparently a qa member, though I can't even remember asking to be put in
the group. :-)

(Not picking on those two groups specifically, I'm just using myself as
an example here.)

> Regards, and again thank you for all the work!

:-)

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to:

Follow-Ups:
- Re: Report from DSA Team Sprint in Oslo
  - From: Gerfried Fuchs <rhonda@deb.at>
- Re: Report from DSA Team Sprint in Oslo
  - From: "Thijs Kinkhorst" <thijs@debian.org>

References:
- Report from DSA Team Sprint in Oslo
  - From: Luca Filipozzi <lfilipoz@debian.org>
- Re: Report from DSA Team Sprint in Oslo
  - From: Yves-Alexis Perez <corsac@debian.org>

Prev by Date: Re: Report from DSA Team Sprint in Oslo
Next by Date: DEP11 is CANDIDATE now!
Previous by thread: Re: Report from DSA Team Sprint in Oslo
Next by thread: Re: Report from DSA Team Sprint in Oslo
Index(es):
- Date
- Thread