We have a bunch of sudo rules in disk-image-builder. They are there primarily so we could have passwordless sudo on jenkins boxes, but working with the infra team now, it looks like we'd run on devstack-gate nodes, not on jenkins directly, so they aren't needed for that.
They don't add appreciable security for end users as they are trivially bypassed with link attacks. And for distributors they are not something you want to install from a package. The only thing the *do* do is permit long running builds to run unattended by users with out reprompting for sudo; but this isn't an issue for most users, as we download the bulk of data before hitting the first sudo call. So I'd like to change things to say: - either run sudo disk-image-create or - setup passwordless sudo or - don't run unattended. and delete the sudoers.d rules as being a distraction, one we no longer need. Opinions? -Rob -- Robert Collins <rbtcoll...@hp.com> Distinguished Technologist HP Cloud Services _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
