On Fri, Jan 29, 2010 at 09:24, Tim Ellison <t.p.elli...@gmail.com> wrote:
>> What has been talked about in the past, to the Hudson admin team, is
>> restricted
>> access to Hudson Admins ONLY on the main Hudson Master box. This is going to
>> be
>> implemented real soon now and those not in the Hudson Admin Team will have
>> their
>> accounts removed.
>>
>> Regarding the slave machines, Minverva/Vesta , only those PMC members and
>> approved
>> Committers (approved by their PMC if they are not PMC Members) that need
>> shell
>> accounts will get one. All accounts will need to login using an SSH key as
>> password
>> logins will also be disabled. If you have an account on Minerva/Vesta please
>> ensure
>> you have a pub key installed and in use as we will switch to this system
>> soon.
+1
>> Rather than seeing 500+ accounts on these machines I would rather see as few
>> as
>> possible, with those having accounts helping out the maintenance and
>> configurations
>> for all projects and not just their own.
>
> Agreed. There is a steady stream of requests for accounts, and while
> I'm happy to enable people to make progress on their project tasks, we
> are building a potential problem for administering all those users.
True.
>> I am absolutely +1 on Hudson Admin Team maintaining these boxes and giving
>> out shell
>> accounts to the few PMC members that really need it, and also expanding out
>> the
>> Hudson Admin Team if necessary to add a very few more folks that will
>> maintain all
>> aspects of the machines for the benefit of all projects.
>
> Or reducing/removing the responsibility of the "Hudson admin team" and
> making these 'real' ASF Infra managed machines.
>
> I don't have the time (or skills!) of the dedicated infra folk here, and
> while I know I can call on you and Philip to help out if things go
> wrong, better to have the machines properly managed in the first place.
The danger I see is that neither Hudson admins [*], nor Infra, have
the bandwidth to administer all the random bits of build platform
software required by the range of products in the ASF.
(*: well, ok, me ;)
As Uwe noted earlier in the thread:
'- Updating lucene's private SVN tools for the new lucene rev-based
backwards branch (sparse checkout)'
'- Upgrading hudson's clover version for our new coverage reports
(that work correct with backwards branch)'
'You haven’t seen our IRC conversation between Mike and me where we
did something like "human remote control" when changing our build
scripts and so on. Something like "tell me whats in dir xyz", "hmm, ok
then we have to.... Ah before tell me if solaris has a toolxy
installed!", "yes", "ah then we can do pqrs first and tar this there".
Funny, but worked, but took a day :-)'
Those are all tasks where SSH access is either required, or greatly
simplifies the task.
by the way I fully agree that we can lock down the Hudson master box.
It's just the build slaves that are still in question.
--j.
