Re: Report from DSA Team Sprint in Oslo
]] Yves-Alexis Perez
> You don't speak at all of the virtualization solution. Afair xen is
> currently already used on part of the infrastructure. Is it the
> preferred choice? Did you consider the use of containers / “lightweight
We're mostly using KVM nowadays and I think we're likely to continue
down that path. Containers are interesting, but, from my very cursory
exploration of them, they are where full VMs were a few years back and
probably need a bit more maturing.
> > User and Group Management
> > =========================
> > Debian has, approximately, 50 000 shell accounts . We believe most
> > of these are unused and would therefore like to disable those that are.
> > The goal is to reduce the our exposure and not to take away anybody's
> > privileges. We will monitor shell account activity in order to identify
> > and disable shell accounts that have been unused for a significant
> > amount of time (months). We will extend ud-ldap to allow users to
> > easily and quickly re-enable their shell accounts.
> So that means something like a signed mail based “shell-knocking”? DD
> would need to send a gpg-signed mail to (re)enable a shell on a chosen
> machine before he can use it?
That's one possible way, we might also make it available on the LDAP
update web form. The exact details have not been worked out.
> > Similarly, there is currently no mechanism which ensures that people
> > only have the group memberships which they are using. We would like to
> > implement a system which will require users to periodically confirm
> > their group memberships. Like the shell accounts, the goal is to reduce
> > our exposure, not to take away anybody's privileges.
> Shouldn't the various teams handling the group take care of managing
> them? Do they currently fail at that?
I think we can say that yes, they generally fail at asking for people to
be removed from groups. I'm still a member of webwml even though I
don't think I've committed anything there since 2007 or so. I'm also
apparently a qa member, though I can't even remember asking to be put in
the group. :-)
(Not picking on those two groups specifically, I'm just using myself as
an example here.)
> Regards, and again thank you for all the work!
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are