FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 08-05-2010, 05:37 PM
Dennis Gilmore
 
Default Allow all signers to read the key to upload signed rpms

diff --git a/manifests/services/pkgsigner.pp
b/manifests/services/pkgsigner.pp
index 11af55c..4449934 100644
---
a/manifests/services/pkgsigner.pp
+++ b/manifests/services/pkgsigner.pp
@@
-17,7 +17,7 @@ class pkgsigner {

folder { "/etc/pki/pkgsigner/":

owner => 'root',
- group => 'jkeating',
+ group =>
'signers',
mode => '0750',
source => "blank/"
}
@@
-25,7 +25,7 @@ class pkgsigner {
cert {
'/etc/pki/pkgsigner/pkgsigner.pem':
source =>
'secure/pkgsigner_key_and_cert.pem',
owner => 'root',
-
group => 'jkeating',
+ group => 'signers',
mode => '440'

}

@@ -45,7 +45,7 @@ class epel-pkgsigner {

folder {
"/etc/pki/pkgsigner/":
owner => 'root',
- group =>
'jkeating',
+ group => 'signers',
mode => '0750',

source => "blank/"
}
@@ -53,7 +53,7 @@ class epel-pkgsigner {
cert
{ '/etc/pki/pkgsigner/pkgsigner.pem':
source =>
'secure/pkgsigner_key_and_cert.pem',
owner => 'root',
-
group => 'jkeating',
+ group => 'signers',
mode => '440'

}


_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-05-2010, 05:47 PM
Mike McGrath
 
Default Allow all signers to read the key to upload signed rpms

+1 (assuming your kmail mangled he patch a bit ;-P)

-Mike


On Thu, 5 Aug 2010, Dennis Gilmore wrote:

> diff --git a/manifests/services/pkgsigner.pp
> b/manifests/services/pkgsigner.pp
> index 11af55c..4449934 100644
> ---
> a/manifests/services/pkgsigner.pp
> +++ b/manifests/services/pkgsigner.pp
> @@
> -17,7 +17,7 @@ class pkgsigner {
>
> folder { "/etc/pki/pkgsigner/":
>
> owner => 'root',
> - group => 'jkeating',
> + group =>
> 'signers',
> mode => '0750',
> source => "blank/"
> }
> @@
> -25,7 +25,7 @@ class pkgsigner {
> cert {
> '/etc/pki/pkgsigner/pkgsigner.pem':
> source =>
> 'secure/pkgsigner_key_and_cert.pem',
> owner => 'root',
> -
> group => 'jkeating',
> + group => 'signers',
> mode => '440'
>
> }
>
> @@ -45,7 +45,7 @@ class epel-pkgsigner {
>
> folder {
> "/etc/pki/pkgsigner/":
> owner => 'root',
> - group =>
> 'jkeating',
> + group => 'signers',
> mode => '0750',
>
> source => "blank/"
> }
> @@ -53,7 +53,7 @@ class epel-pkgsigner {
> cert
> { '/etc/pki/pkgsigner/pkgsigner.pem':
> source =>
> 'secure/pkgsigner_key_and_cert.pem',
> owner => 'root',
> -
> group => 'jkeating',
> + group => 'signers',
> mode => '440'
>
> }
>
>
>
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-05-2010, 11:44 PM
Kevin Fenzi
 
Default Allow all signers to read the key to upload signed rpms

On Thu, 5 Aug 2010 12:37:00 -0500
Dennis Gilmore <dennis@ausil.us> wrote:

> diff --git a/manifests/services/pkgsigner.pp
> b/manifests/services/pkgsigner.pp
> index 11af55c..4449934 100644
> ---
> a/manifests/services/pkgsigner.pp
> +++ b/manifests/services/pkgsigner.pp
> @@
> -17,7 +17,7 @@ class pkgsigner {
>
> folder { "/etc/pki/pkgsigner/":
>
> owner => 'root',
> - group => 'jkeating',
> + group =>
> 'signers',
> mode => '0750',
> source => "blank/"
> }
> @@
> -25,7 +25,7 @@ class pkgsigner {
> cert {
> '/etc/pki/pkgsigner/pkgsigner.pem':
> source =>
> 'secure/pkgsigner_key_and_cert.pem',
> owner => 'root',
> -
> group => 'jkeating',
> + group => 'signers',
> mode => '440'
>
> }
>
> @@ -45,7 +45,7 @@ class epel-pkgsigner {
>
> folder {
> "/etc/pki/pkgsigner/":
> owner => 'root',
> - group =>
> 'jkeating',
> + group => 'signers',
> mode => '0750',
>
> source => "blank/"
> }
> @@ -53,7 +53,7 @@ class epel-pkgsigner {
> cert
> { '/etc/pki/pkgsigner/pkgsigner.pem':
> source =>
> 'secure/pkgsigner_key_and_cert.pem',
> owner => 'root',
> -
> group => 'jkeating',
> + group => 'signers',
> mode => '440'
>
> }

Looks good to me, +1

kevin

_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-10-2010, 10:37 PM
John Poelstra
 
Default Allow all signers to read the key to upload signed rpms

Kevin Fenzi said the following on 08/05/2010 04:44 PM Pacific Time:
> On Thu, 5 Aug 2010 12:37:00 -0500
> Dennis Gilmore<dennis@ausil.us> wrote:
>
>> diff --git a/manifests/services/pkgsigner.pp
>> b/manifests/services/pkgsigner.pp
>> index 11af55c..4449934 100644
>> ---
>> a/manifests/services/pkgsigner.pp
>> +++ b/manifests/services/pkgsigner.pp
>> @@
>> -17,7 +17,7 @@ class pkgsigner {
>>
>> folder { "/etc/pki/pkgsigner/":
>>
>> owner => 'root',
>> - group => 'jkeating',
>> + group =>
>> 'signers',
>> mode => '0750',
>> source => "blank/"
>> }
>> @@
>> -25,7 +25,7 @@ class pkgsigner {
>> cert {
>> '/etc/pki/pkgsigner/pkgsigner.pem':
>> source =>
>> 'secure/pkgsigner_key_and_cert.pem',
>> owner => 'root',
>> -
>> group => 'jkeating',
>> + group => 'signers',
>> mode => '440'
>>
>> }
>>
>> @@ -45,7 +45,7 @@ class epel-pkgsigner {
>>
>> folder {
>> "/etc/pki/pkgsigner/":
>> owner => 'root',
>> - group =>
>> 'jkeating',
>> + group => 'signers',
>> mode => '0750',
>>
>> source => "blank/"
>> }
>> @@ -53,7 +53,7 @@ class epel-pkgsigner {
>> cert
>> { '/etc/pki/pkgsigner/pkgsigner.pem':
>> source =>
>> 'secure/pkgsigner_key_and_cert.pem',
>> owner => 'root',
>> -
>> group => 'jkeating',
>> + group => 'signers',
>> mode => '440'
>>
>> }
>
> Looks good to me, +1
>
> kevin
>
>

It seems to me that this is a very important group. Do we have an SOP
that describes how this group is handled?

Things like:

a) What kind of "controls" do we have to make sure that the @signers
group is limited and that it requires some sort of approval to add
people to it?

b) Who has the ability to add another person?

c) Are people promptly removed when they no longer need to do any signing?

d) Who has the ability to remove people?

John
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-10-2010, 11:02 PM
Kevin Fenzi
 
Default Allow all signers to read the key to upload signed rpms

On Tue, 10 Aug 2010 15:37:29 -0700
John Poelstra <poelstra@redhat.com> wrote:

> It seems to me that this is a very important group. Do we have an
> SOP that describes how this group is handled?

Not that I know of... perhaps there should be one.

> Things like:
>
> a) What kind of "controls" do we have to make sure that the @signers
> group is limited and that it requires some sort of approval to add
> people to it?

No more so than any other fas group I don't think.

> b) Who has the ability to add another person?

The admin/sponsors of the group.
Currently jkeating is the only admin, there are no sponsors.

> c) Are people promptly removed when they no longer need to do any
> signing?

I don't know. I would hope so.

> d) Who has the ability to remove people?

admin/sponsor of the group?

I think if we are going to write up policies for this group, we might
also put on the same page other "important" groups. ie, sysadmin-main,
cvsadmin, possibly others?

kevin
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 08-11-2010, 01:50 AM
Mike McGrath
 
Default Allow all signers to read the key to upload signed rpms

On Tue, 10 Aug 2010, Kevin Fenzi wrote:

> On Tue, 10 Aug 2010 15:37:29 -0700
> John Poelstra <poelstra@redhat.com> wrote:
>
> > It seems to me that this is a very important group. Do we have an
> > SOP that describes how this group is handled?
>
> Not that I know of... perhaps there should be one.
>
> > Things like:
> >
> > a) What kind of "controls" do we have to make sure that the @signers
> > group is limited and that it requires some sort of approval to add
> > people to it?
>
> No more so than any other fas group I don't think.
>

Yeah, just a regular fas group.

-Mike
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 

Thread Tools




All times are GMT. The time now is 07:04 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org