Re: [buildd] Implications of DSA-1571-1

To: Stephen R Marenka <stephen@marenka.net>
Cc: debian-68k@lists.debian.org
Subject: Re: [buildd] Implications of DSA-1571-1
From: Michael Schmitz <schmitz@mail.biophys.uni-duesseldorf.de>
Date: Thu, 15 May 2008 23:10:11 +0200 (CEST)
Message-id: <[🔎] alpine.DEB.1.00.0805152244280.16530@zirkon.biophys.uni-duesseldorf.de>
In-reply-to: <[🔎] 20080515122955.GA14123@marenka.net>
References: <[🔎] 20080513180053.GK9921@2004.bluespice.org> <[🔎] 20080515122955.GA14123@marenka.net>

Hi,

Might as well collect an up-to-date listing for all the buildds. I'm
hoping we'll have the opportunity to update keys at buildd.d.o. So I'd
like to update all the questions we normally get asked.

The question is, should we maintain this on a wiki where it can be
updated? We've potentially got 25 buildds if all of them were up and
running. I can keep that in a spreadsheet, but it'll bit rot as soon as
something changes and I don't notice. (Look a shiny thing, I must chase
it. :)


Even if it's not much information, having it on a wiki would be nice.

The only downside I see is spam harvesting and frankly I've got a nice
procmail filter that keeps spam from making it to my buildds (buildd
mail only knows six messages, everything else must be spam). If I was
really clever, I could probably drop such messages earlier. Hmmmm.

If we route all buildd mail via debian (or other) mail servers, that kindof procmail fitering could happen there.

What other questions should we ask/track?

Thanks,

Stephen


builddname: buildd_m68k-foo
hostname: foo.debian.org
dynamic/static ip: static
ssh connection info: ssh -p2145 foo.debian.org
buildd email: buildd@foo.debian.org
buildd admin(s): John Doe <bar@debian.org>
local admin: Jane Baz <baz@foobar.com>

Who else has access (posibly sudo) and can unjam things, or take over logsfor this machine?

configured suites: experimental, unstable, testing, testing-security

host key:
ssh-rsa blahblahblah root@foo

buildd ssh key:
ssh-rsa blahblahblah buildd@foo

kernel: 2.6.25-2
distro: etch-m68k
has patched ssl and ssh (yes,no,n/a): yes

I'd classify information like ssh connection info and backup admins assensitive, and would suggest to keep them out of public view. As the wikiwill need some sort of account management, that should not be too hard todo.

While we're on the topic of renewing buildd.d.o ssh keys - is there anyway to tell the SSH server to accept dynamic DNS addresses, in the sensethat they may not resolve to the dyndns host name on a reverse query?Otherwise, the buildd.d.o admins would have to accept a rather broadwildcarding on my part (*.jetstream....), or set up a system to securelyregister the current buildd IP address (like dyndns update).

Lastly: I'm cleaning up kullervo's vast backlog of 370 failed build trees,because it makes buildd-watcher spend way too much time looking foroutdatest files. I'm currently keeping two months' worth of build trees.Feel free to shoot me :-)


	Michael

Reply to:

Follow-Ups:
- Re: [buildd] Implications of DSA-1571-1
  - From: Ingo Juergensmann <ij@2008.bluespice.org>

References:
- [buildd] Implications of DSA-1571-1
  - From: Ingo Juergensmann <ij@2008.bluespice.org>
- Re: [buildd] Implications of DSA-1571-1
  - From: Stephen R Marenka <stephen@marenka.net>

Prev by Date: Re: [buildd] Implications of DSA-1571-1
Next by Date: Re: [buildd] Implications of DSA-1571-1
Previous by thread: Re: [buildd] Implications of DSA-1571-1
Next by thread: Re: [buildd] Implications of DSA-1571-1
Index(es):
- Date
- Thread