[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: recovery status update



On Fri, Dec 05, 2003 at 01:51:54AM +0000, James Troup wrote:
>                           Where can I login?
>                           ------------------
> 
> There's been a fair bit of talk post-compromise about restricting
> access to machines running (core) services.  At the moment, the only
> thing I'm (personally) doing is not enabling non-services accounts on
> auric (ftp-master) and klecker (security, non-US, qa, nm, www-master)
> immediately.  Obviously, it's useful for random developers to have
> access to e.g. the postgres database of the archive, so the current
> plan if the restricted nature of auric becomes permanent is to mirror
> the system daily to another box that would be unrestricted.  [This
> would have the added bonus of giving us a hot spare for
> disasters/arson attacks etc.]
> 
> Basically the whole issue of what, if anything, to restrict is still
> up in the air.  I'm looking for input/opinions/discussion on this.  If
> you need access to the machines running the archives, please tell me
> (or probably better yet, start a thread on debian-devel) why.

It makes a lot of sense to restrict auric permanently and have an
up-to-date mirror for general access purposes.  The issues I can think
of are:

- how to run the DELAYED queue (to give the possibility of deleting
  things from it or to see what's in it)

- how to give developers the possibility of seeing what's in the queue
  (daily rsyncs are not good enough for this; I've frequently pulled
  packages from the accepted queue to check that bug fixes have been
  correctly applied)


   Julian

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

        Julian Gilbey, website: http://www.polya.uklinux.net/
   Debian GNU/Linux Developer, see: http://people.debian.org/~jdg/
     Visit http://www.thehungersite.com/ to help feed the hungry



Reply to: