diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2010-October/000125.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/2010-October/000125.html | 157 |
1 files changed, 157 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2010-October/000125.html b/zarb-ml/mageia-sysadm/2010-October/000125.html new file mode 100644 index 000000000..b9107d771 --- /dev/null +++ b/zarb-ml/mageia-sysadm/2010-October/000125.html @@ -0,0 +1,157 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] planning for sysadmin task + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20planning%20for%20sysadmin%20task&In-Reply-To=%3C1288428951.10799.24.camel%40akroma.ephaone.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="000063.html"> + <LINK REL="Next" HREF="000064.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] planning for sysadmin task</H1> + <B>Michael Scherer</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20planning%20for%20sysadmin%20task&In-Reply-To=%3C1288428951.10799.24.camel%40akroma.ephaone.org%3E" + TITLE="[Mageia-sysadm] planning for sysadmin task">misc at zarb.org + </A><BR> + <I>Sat Oct 30 10:55:51 CEST 2010</I> + <P><UL> + <LI>Previous message: <A HREF="000063.html">[Mageia-sysadm] planning for sysadmin task +</A></li> + <LI>Next message: <A HREF="000064.html">[Mageia-sysadm] planning for sysadmin task +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#125">[ date ]</a> + <a href="thread.html#125">[ thread ]</a> + <a href="subject.html#125">[ subject ]</a> + <a href="author.html#125">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Le mardi 26 octobre 2010 à 16:39 +0200, Romain d'Alverny a écrit : +><i> On Tue, Oct 26, 2010 at 16:06, Olivier Thauvin +</I>><i> <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">nanardon at nanardon.zarb.org</A>> wrote: +</I>><i> > * Romain d'Alverny (<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">rdalverny at gmail.com</A>) wrote: +</I>><i> >> On Tue, Oct 26, 2010 at 15:23, Michael Scherer <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">misc at zarb.org</A>> wrote: +</I>><i> >> Sysadm. Per request of webteam. +</I>><i> >> +</I>><i> >> > - setup of infrastructure ( ie apache module) +</I>><i> >> +</I>><i> >> Sysadm. Per request of webteam. +</I>><i> >> +</I>><i> >> > - who is in charge of securing +</I>><i> >> > - the servers +</I>><i> >> > - each applications +</I>><i> >> +</I>><i> >> Both. Server security is going to be affected by application security +</I>><i> >> and this is the webteam role to control that part. And to assume/fix +</I>><i> >> potential issues. +</I>><i> > [...] +</I>><i> > Since you prefer to not using rpm, the work to setup such application +</I>><i> > get more complicated, especially if the sys admin don't know perl (in +</I>><i> > this case, the same apply to php apps, python, etc...). +</I>><i> +</I>><i> I know this firsthand, from both sides, yes. That's the webteam +</I>><i> responsibility to provide this info for installing/upgrading the app, +</I>><i> and that partially requires from the webteam some knowledge about the +</I>><i> system. +</I>><i> +</I>><i> So indeed, both teams need to know/understand each other. +</I>><i> +</I>><i> > I don't like the "svn snapshot" way for officially in use web apps. It +</I>><i> > works for testing the devel version, but I'd really hope anyone +</I>><i> > working on web apps is able to have a clear roadmap and managing branch +</I>><i> > for quick security fixes. +</I>><i> +</I>><i> Sure. But it happens to break nonetheless. What is crucial is not that +</I>><i> there is no breach (there will), it's that it is quickly reported and +</I>><i> fixed. +</I>><i> +</I>><i> > And since you have a stable branch and a devel one, you are able to +</I>><i> > quickly redo a rpm. +</I>><i> +</I>><i> I understand that but a RPM is an unnecessary step here IMHO. A web +</I>><i> app/development life cycle in dev/production is not the same as one +</I>><i> for a packaged app for a distribution. +</I>><i> +</I>><i> All I care here as a Web dev/project manager is: +</I>><i> - working on the app +</I>><i> - making sure it works +</I>><i> - pushing to prod +</I>><i> - check again +</I>><i> - iterate. +</I>><i> +</I>><i> Pushing deployment from dev to production, assuming all tests pass, +</I>><i> should be ideally as fast as pushing a single button and waiting for a +</I>><i> few seconds. And it may not be a trivial thing either (not just +</I>><i> pushing files, but moving the app into several states for a clean +</I>><i> migration). +</I>><i> +</I>><i> At some extent, RPM dependencies would be a useful thing for setting +</I>><i> up the application but this mostly happens once (first install) and +</I>><i> can be easily hosted within the web application itself (and then +</I>><i> handle the error) - WordPress and Drupal do it for instance. +</I> +It also prevent the removal of used dependencies. +This can happen either when we are cleaning the server, or when we +upgrade the server, or another application. + +If tomorrow, we discover a huge security hole in php-hugesecurityhole +rpm, we need to know who use it to assess the security of the +infrastructure. And without knowing what other packages use the rpm, +this is gonna be slightly complicated to know if we are affected or not. + + +><i> So we can discuss this further with other future webteam members but I +</I>><i> will seriously not manage a production environment that goes through +</I>><i> packaging for app updates. +</I> +Well, if creating a package is just a single command ( as would be a +upgrade to the production server ), I do not think it will be much of a +problem. The only issue is to find someone skilled enough to create a +shell script for that and I do not really think that it will be a big +problem. We have a team of 8 admins and there is several volunteers +eager to help, it would be quite weird to have no one able to do it in +time. + +><i> That does not mean I don't care about security - that means that +</I>><i> there's a balance to find and that web developers have to be in charge +</I>><i> of their apps security as well. So if that means we need to have +</I>><i> separate servers to isolate risks, so be it. If that means we need to +</I>><i> go for a different type of hosting, so be it. +</I> +Separating server do not really help much, if there is a security +problem, it will be there wherever you are. You can reduce the impact of +course, but that's just a consolation. We will have work to do to be +sure the server is clean after being audited, the reputation will be +affected none the less, and if the server is used for +spam/attack/whatever, we have to take care of this. + +-- +Michael Scherer + +</PRE> + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="000063.html">[Mageia-sysadm] planning for sysadmin task +</A></li> + <LI>Next message: <A HREF="000064.html">[Mageia-sysadm] planning for sysadmin task +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#125">[ date ]</a> + <a href="thread.html#125">[ thread ]</a> + <a href="subject.html#125">[ subject ]</a> + <a href="author.html#125">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |