I am glad to see the discussion stays mostly civil :).
Am 18/08/2017 um 2:08 schrieb Ralph Ronnquist:
> First and most centrally, I think the Devuan bandwagon has run into a
> couple of organizational pot holes, which basically comes down to people
> not relinquishing control.
>
> It's an organizational problem and not a technical one. It doesn't
> matter that you (we) are all good people with the best of intentions, if
> you (we) can't relinquish control appropriately. Without that, you (we)
> cannot expand the organization.
Can only subscribe that. And add that having this discussion over the
northern hemisphere's summer has not helped at all.
Am 18/08/2017 um 11:13 schrieb Jaromil:
> mediation by Evilham leading to the good documentation effort he is
> curating, another much needed contribution for the project in this
> phase. If we manage to continue the debate in a constructive way, I
> propose then we interact focusing on DIP-1 and documentation of the
> infrastructure until the end of this month, leaving aside any general
> consideration about decision making and personal involvement or other
> para-political issues.
Sounds good, looking forward to more contribution (from everyone) either
on the pads or directly on gdo. I am merging those regularly.
(related: just added documentation about D1G's setup to the repo)
A specially interesting point is completing the image in the overview
section that gives an overview of the project components. Ralph had very
good comments about this, specially:
* We have to define the possible interactions and who is going to be
able to do what (roles of users).
Am 14/08/2017 um 22:56 schrieb Evilham:
> Current infrastructure pad:
https://pad.dyne.org/code/#/1/edit/usQoFADFDsJ9UAFbVm0H7A/FPGyscaoxWTAqqgscT1bw7VA
> Build system improvements pad:
https://pad.dyne.org/code/#/1/edit/nXiySd0FPHvG8pBgGgImxA/aJ87TdwIEWiIk96GZcFwypnb
Am 17/08/2017 um 19:49 schrieb Jaromil:
>> 3) How to provide finer grained (ie per suite) build permissions?
> This is answered by Katolaz' RFC
I think what is meant by that point is: "What should the permissions
model look like?"
I.e. a matter of policy, not implementation. We need more of the former,
to move forward with the latter.
When it comes to permissions, Ralph's proposal is the way to do it: a
formal definition of users/roles/actions; then comes the implementation,
which has to be checked against the specification.
>> 4) Is there a real security vulnerability with gitlab that makes it a
>> now unwise to continue to use as the federated authentication
>> provider for our git and CI, and Devuan as a whole system?
> I believe there is no other way but Evilham disclosing the
> vulnerability he has found (thanks for noticing).
We (golinux and I) took a look at the current config and it doesn't look
like it's critical; basically, we need more auditing of stuff that gets
setup. E.g. GL workers are not being used (there are few and they all
fail), but are enabled and not perfectly configured.
Also related: there should be some process enforcing audit of (build)
permissions. Idle people can always easily regain access, but if they
are *only* idle and have permissions, they are a liability.
Am 17/08/2017 um 20:01 schrieb Jaromil:
> I hope you find the time to focus on a
> priority pending for your participation to the new website setup, to
> make a GPG and an SSH key which we all have and need to have.
AFAIK, we still don't know how you update the website.
Do you run the pipeline locally and then upload the result to the
server? Do you manually execute commands on the server? Setting up keys
is a very quick thing nowadays, but it doesn't make much sense to do
that if it's not clear how it's going to be used.
PS: The website needs an update.
On the implementation discussion part, I never got a reply to this email:
https://lists.dyne.org/lurker/message/20170815.083657.f9fe40bb.en.html
While I called for more focus on current infra documentation, I'd think
the questions were relevant for the discussion that will follow very
short-term.
--
Evilham