Kevin Fenzi said the following on 08/05/2010 04:44 PM Pacific Time:
> On Thu, 5 Aug 2010 12:37:00 -0500
> Dennis Gilmore<dennis@xxxxxxxx> wrote:
>
>> diff --git a/manifests/services/pkgsigner.pp
>> b/manifests/services/pkgsigner.pp
>> index 11af55c..4449934 100644
>> ---
>> a/manifests/services/pkgsigner.pp
>> +++ b/manifests/services/pkgsigner.pp
>> @@
>> -17,7 +17,7 @@ class pkgsigner {
>>
>> folder { "/etc/pki/pkgsigner/":
>>
>> owner => 'root',
>> - group => 'jkeating',
>> + group =>
>> 'signers',
>> mode => '0750',
>> source => "blank/"
>> }
>> @@
>> -25,7 +25,7 @@ class pkgsigner {
>> cert {
>> '/etc/pki/pkgsigner/pkgsigner.pem':
>> source =>
>> 'secure/pkgsigner_key_and_cert.pem',
>> owner => 'root',
>> -
>> group => 'jkeating',
>> + group => 'signers',
>> mode => '440'
>>
>> }
>>
>> @@ -45,7 +45,7 @@ class epel-pkgsigner {
>>
>> folder {
>> "/etc/pki/pkgsigner/":
>> owner => 'root',
>> - group =>
>> 'jkeating',
>> + group => 'signers',
>> mode => '0750',
>>
>> source => "blank/"
>> }
>> @@ -53,7 +53,7 @@ class epel-pkgsigner {
>> cert
>> { '/etc/pki/pkgsigner/pkgsigner.pem':
>> source =>
>> 'secure/pkgsigner_key_and_cert.pem',
>> owner => 'root',
>> -
>> group => 'jkeating',
>> + group => 'signers',
>> mode => '440'
>>
>> }
>
> Looks good to me, +1
>
> kevin
>
>
It seems to me that this is a very important group. Do we have an SOP
that describes how this group is handled?
Things like:
a) What kind of "controls" do we have to make sure that the @signers
group is limited and that it requires some sort of approval to add
people to it?
b) Who has the ability to add another person?
c) Are people promptly removed when they no longer need to do any signing?
d) Who has the ability to remove people?
John
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
