On Mon, 12 Nov 2012 21:41:59 -0500 Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> wrote: > On Mon, Nov 12, 2012 at 08:22:17PM -0600, Nick Bebout wrote: > > > this criteria may be tricky... There's just not that many of us. > > Plus a lot of the releng people like kevin and dgilmore are in > > sysadmin-main which has admin access everywhere. > > Worrying about this kind of thing is officially outside my scope, but > I really think it's good practice. Even when we have awesome people > we really know we can trust. Sure. Problem is we need some people to maintain the system, so they need some level of access to do that, apply updates, etc. That said, things like updates or sudo calls or the like are logged and watched (at least I do look at all the sudo's and logins) I think we are getting a bit in the weeds here tho... > That said, it is probably reasonable to have different access > methods, so that users *could* theoretically access the backend > system, they'd at the very least do so through different channels and > when intentionally wearing a different (mental) hat. Right. Ideally the process logs and saves off everything it does, and if there needs to be a backend change thats logged and audited as well. Trust, but verify. Really the things koji has going for it in this is that it has a database thats a easy place to store and view audit logs for things like this. So you can say "hey, the f18 beta image, how was it made" and can easily find the logs and look thought them. We could easily setup something that does something similar with a cloud instance, just needs more tooling. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
