Here are some notes taken from the CERN pre-dojo meeting from last week :
<paste> Allow SIGs to have separate accounts for build bots - separate user accounts from "bot" accounts for security reasons - [proposal] have an email alias (not list) per sig for the bots, like sig-<bla>@centos.org pointing to the SIG's chair - [proposal] SIG chair must request or approve email alias requests/ ACO account creation sent to CentOS Board chairman </paste>
So, (as also discussed yesterday in the CBS meeting - https://www.centos.org/minutes/2017/October/centos-devel.2017-10-23-14.01.lo...)
The proposal would be to create a @centosproject.org (or @centos.org) email alias, that would go to SIG chair, and that would be used to create an account on https://accounts.centos.org While we can manually generate x509 cert with longer validity period, we discussed the fact that using centos-cert just takes 2 seconds every 6 months, so SIG members who were present didn't find it a real issue. (email notifications go to SIG chair - and/or other members ? - in advance so easy to follow)
That's probably the workflow people use already anyway, while Brian confirmed that longer-term a proper credentials store would be on the roadmap, but soon.
On 24/10/17 09:45, Fabian Arrotin wrote:
Here are some notes taken from the CERN pre-dojo meeting from last week :
<paste> Allow SIGs to have separate accounts for build bots - separate user accounts from "bot" accounts for security reasons - [proposal] have an email alias (not list) per sig for the bots, like sig-<bla>@centos.org pointing to the SIG's chair - [proposal] SIG chair must request or approve email alias requests/ ACO account creation sent to CentOS Board chairman </paste>
So, (as also discussed yesterday in the CBS meeting - https://www.centos.org/minutes/2017/October/centos-devel.2017-10-23-14.01.lo...)
The proposal would be to create a @centosproject.org (or @centos.org) email alias, that would go to SIG chair, and that would be used to create an account on https://accounts.centos.org While we can manually generate x509 cert with longer validity period, we discussed the fact that using centos-cert just takes 2 seconds every 6 months, so SIG members who were present didn't find it a real issue. (email notifications go to SIG chair - and/or other members ? - in advance so easy to follow)
That's probably the workflow people use already anyway, while Brian confirmed that longer-term a proper credentials store would be on the roadmap, but soon.
I'd like to see a better write up of the use cases for these bot's
On 24/10/17 15:56, Karanbir Singh wrote:
On 24/10/17 09:45, Fabian Arrotin wrote:
Here are some notes taken from the CERN pre-dojo meeting from last week :
<paste> Allow SIGs to have separate accounts for build bots - separate user accounts from "bot" accounts for security reasons - [proposal] have an email alias (not list) per sig for the bots, like sig-<bla>@centos.org pointing to the SIG's chair - [proposal] SIG chair must request or approve email alias requests/ ACO account creation sent to CentOS Board chairman </paste>
So, (as also discussed yesterday in the CBS meeting - https://www.centos.org/minutes/2017/October/centos-devel.2017-10-23-14.01.lo...)
The proposal would be to create a @centosproject.org (or @centos.org) email alias, that would go to SIG chair, and that would be used to create an account on https://accounts.centos.org While we can manually generate x509 cert with longer validity period, we discussed the fact that using centos-cert just takes 2 seconds every 6 months, so SIG members who were present didn't find it a real issue. (email notifications go to SIG chair - and/or other members ? - in advance so easy to follow)
That's probably the workflow people use already anyway, while Brian confirmed that longer-term a proper credentials store would be on the roadmap, but soon.
I'd like to see a better write up of the use cases for these bot's
As the requests came from SIGs, I'll let them explain their needs, but here are some points:
- SIG Cloud instance has already a "cloudinstance" bot that you approved for the Vagrant images - SIG Cloud / RDO people asked for such bot instead of using Haikel's "cert and key" in their existing workflow - SIG Storage (for Ceph) asked for the same thing : https://bugs.centos.org/view.php?id=13884
On Tue, Oct 24, 2017 at 04:25:13PM +0200, Fabian Arrotin wrote:
As the requests came from SIGs, I'll let them explain their needs, but here are some points:
- SIG Cloud instance has already a "cloudinstance" bot that you approved
for the Vagrant images
- SIG Cloud / RDO people asked for such bot instead of using Haikel's
"cert and key" in their existing workflow
- SIG Storage (for Ceph) asked for the same thing :
In opstools, we are currently having changes to spec files reviewed via gerrit, like here[1]. Once a change is approved, jenkins builds a srpm and submits that srpm for a build in cbs using my "cert and key".
However, I would prefer that to be a different one. TBH. having more eyes on package changes rather than doing this alone seems to be much safer for me. Bonus is, everything is publicly documented, and everyone can propose changes.
Best, Matthias
[1] https://review.rdoproject.org/r/#/c/10239/1
On 10/24/2017 04:25 PM, Fabian Arrotin wrote:
On 24/10/17 15:56, Karanbir Singh wrote:
On 24/10/17 09:45, Fabian Arrotin wrote:
Here are some notes taken from the CERN pre-dojo meeting from last week :
<paste> Allow SIGs to have separate accounts for build bots - separate user accounts from "bot" accounts for security reasons - [proposal] have an email alias (not list) per sig for the bots, like sig-<bla>@centos.org pointing to the SIG's chair - [proposal] SIG chair must request or approve email alias requests/ ACO account creation sent to CentOS Board chairman </paste>
So, (as also discussed yesterday in the CBS meeting - https://www.centos.org/minutes/2017/October/centos-devel.2017-10-23-14.01.lo...)
The proposal would be to create a @centosproject.org (or @centos.org) email alias, that would go to SIG chair, and that would be used to create an account on https://accounts.centos.org While we can manually generate x509 cert with longer validity period, we discussed the fact that using centos-cert just takes 2 seconds every 6 months, so SIG members who were present didn't find it a real issue. (email notifications go to SIG chair - and/or other members ? - in advance so easy to follow)
That's probably the workflow people use already anyway, while Brian confirmed that longer-term a proper credentials store would be on the roadmap, but soon.
I'd like to see a better write up of the use cases for these bot's
As the requests came from SIGs, I'll let them explain their needs, but here are some points:
- SIG Cloud instance has already a "cloudinstance" bot that you approved
for the Vagrant images
- SIG Cloud / RDO people asked for such bot instead of using Haikel's
"cert and key" in their existing workflow
- SIG Storage (for Ceph) asked for the same thing :
SCLo SIG would also like to have such an account: https://bugs.centos.org/view.php?id=14000
The proposed email alias seems good to me, any news about that proposal?
Honza
CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
-
Fabian Arrotin -
Honza Horak -
Karanbir Singh -
Matthias Runge