[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Status of Debian accounts and legal agreements with cloud providers

Hi Jimmy

On Sun, Feb 03, 2019 at 11:11:52PM -0500, Jimmy Kaplowitz wrote:
> > The technical todo list AFAIK is:
> > - Create an owner e-mail alias somewhere in spi-inc.org or debian.org,
> >   which can be used as account owner for multiple AWS accounts and
> >   Azure (so the alias needs to support address extension somehow).
> 
> Can the owner email alias be changed later in unlikely hypothetical situations
> like where Debian stops working with SPI? If yes, I think it should be
> under @spi-inc.org since certain notices tied to the contractual
> relationship would likely get sent there.

It's unclear right now what addresses can be changed.  It is possible to
change the root account e-mail address on AWS.  But David said at the
sprint that there is something else that ties our old account to jeb,
and that's the reason why we need to create new ones instead of
re-assigning the old account.  I'll ask him.

> For an account that is only used by Debian and not other SPI
> projects, a @debian.org address would be okay too, but SPI people would
> need to be on it as well.
> 
> Either way, SPI needs to (non-exclusively) receive all emails about legal,
> contractual, and billing/payment topics.

Sure.  Let's wait what David says, because depending on it we might need
to create it with @debian.org in the first place.

> >   This step needs a billing method assigned temporariliy.  After that
> >   David can somehow move the projects into the Amazon OEM organization.
> 
> If it's a brief temporary need with no charges expected, we can probably
> use the SPI debit card. We should still get lamby to confirm as DPL that
> any charges during the temporary period can be paid from Debian's funds,
> but this should be no more of a problem than it was for the Debian Salsa
> arrangement on GCP.

Yes, that was my idea as well.

> > - Create debian.org (or SPI with debian.org[1]) Azure Active Directory for
> >   authentication.
> Hm. I don't know Azure AD enough to have an opinion right now about
> which way this should happen. My ideal is that SPI would retain ultimate
> control of the root of the hierarchy, that DSA would share control of
> the Debian portion, and that Debian and SPI each have a way to
> separately sync account/group info from (e.g.) Debian LDAP and from
> anything SPI chooses to use.

There is no hierarchy, so we need to create a Debian AAD and invite SPI
as admins.

Regards,
Bastian

-- 
A little suffering is good for the soul.
		-- Kirk, "The Corbomite Maneuver", stardate 1514.0
Reply to: