From Fedora Project Wiki

< FWN‎ | Beats

 
(57 intermediate revisions by 3 users not shown)
Line 6: Line 6:
http://fedoraproject.org/wiki/Infrastructure
http://fedoraproject.org/wiki/Infrastructure


Contributing Writer:  HuzaifaSidhpurwala
Contributing Writer:  [[HuzaifaSidhpurwala|Huzaifa Sidhpurwala]]


=== Email aliases and new cvs requests  ===
=== Intrusion update ===
[[MikeMcGrath| Mike McGrath]] sent a link <ref>https://www.redhat.com/archives/fedora-announce-list/2009-March/msg00010.html</ref> to the list about the intrusion which was sent to the fedora-announce-list earlier.<ref>https://www.redhat.com/archives/fedora-infrastructure-list/2009-March/msg00277.html</ref>


Toshio Kuratomi writes for fedora-infrastructure-list [1]
Mike said that he was waiting to discuss authentication mechanisms for the fedora-servers, Since passwords+ssh keys are not the most secure authentication mechanism. Also it seems that fedora does not have the budget for any RSA token like system for authentication.


Last week Seth implemented email aliases for the people who should be notified of changes to packages. Toshio used this new functionality to have getnotifylist, which looks up who to notify on cvs commits, stop querying the pkgdb directly (a slow operation with multiple points where it could fail) and instead just construct the alias from the packagename.  
There was a lot of discussion on this thread, with various people proposing different authentication mechanisms which could be used.


[1] https://www.redhat.com/archives/fedora-infrastructure-list/2008-July/msg00104.html
[[Dennis Gilmore|DennisGilmore]] started a similar thread about Auth Mechanims<ref>https://www.redhat.com/archives/fedora-infrastructure-list/2009-March/msg00294.html</ref> on which he discussed using etoken or Yubikey for authentication.
It was a two factor authentication and therefore was more secure than passphrase or ssh keys.


=== YUM security issues... ===
<references/>
 
Toshio Kuratomi writes for fedora-infrastructure-list [2]
 
This is a re-post from Josh Bressers. Justin asked if the ability for mirror admins to select a
subnet where they'll serve all of the traffic has been removed?  There is a particular concern about this issue in the short term. There is a paper about this also [3]
 
[2] https://www.redhat.com/archives/fedora-infrastructure-list/2008-July/msg00082.html
 
[3] http://www.cs.arizona.edu/people/justin/packagemanagersecurity/
 
=== cvsextras renamed to packager ===
 
Toshio Kuratomi writes for fedora-infrastructure-list [4]
 
cvsextras has been renamed to packager. Any scripts that depends on querying the "cvsextras" group will now need to query "packager".
 
[4] https://www.redhat.com/archives/fedora-infrastructure-list/2008-July/msg00128.html
 
=== Cron <postgres@db2> /var/lib/pgsql/vacstat.py check ===
 
Toshio Kuratomi writes for fedora-infrastructure-list [3]
 
Since the plan is to move koji to db3 within the week Toshio proposed  that he would like to hold off on this. The dump and reload to move to the new server should be more effective than a manual vacuum.
 
 
[3] https://www.redhat.com/archives/fedora-infrastructure-list/2008-July/msg00033.html

Latest revision as of 04:36, 6 April 2009

Infrastructure

This section contains the discussion happening on the fedora-infrastructure-list

http://fedoraproject.org/wiki/Infrastructure

Contributing Writer: Huzaifa Sidhpurwala

Intrusion update

Mike McGrath sent a link [1] to the list about the intrusion which was sent to the fedora-announce-list earlier.[2]

Mike said that he was waiting to discuss authentication mechanisms for the fedora-servers, Since passwords+ssh keys are not the most secure authentication mechanism. Also it seems that fedora does not have the budget for any RSA token like system for authentication.

There was a lot of discussion on this thread, with various people proposing different authentication mechanisms which could be used.

DennisGilmore started a similar thread about Auth Mechanims[3] on which he discussed using etoken or Yubikey for authentication. It was a two factor authentication and therefore was more secure than passphrase or ssh keys.