Actually, I use a module... I don't use copy, I download mine via http. However, it shouldn't be too difficult to separate out the sig check step to work with a copy procedure.
What would happen is first you copy from central to a local cache, and then do your sig check. If it passes, then you update your inputs directory from the local cache. Since I download a signed tarball, for a central copy it'd be easier to create a single signed checksum file (ie: md5sum for everything in your master inputs), and then check that file and its contents. Russell On Thu, Oct 13, 2005 at 08:06:15AM -0700, Martin, Jason H wrote: > Could you provide some more details about your update script? > > -Jason Martin > > > -----Original Message----- > > From: > > [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > org] On Behalf Of Adams, Russell L. > > Sent: Thursday, October 13, 2005 8:04 AM > > To: [email protected] > > Subject: Re: Tiered admins with cfengine / dual control > > > > > > I sign my configs with gnupg, and my update script checks for > > a valid sig before installing new config files. > > > > You could do the same things but require a dual signing. > > > > Russell > > > > On Thu, Oct 13, 2005 at 07:58:28AM -0700, Martin, Jason H wrote: > > > Along the same lines, has anyone implemented a system such > > that there > > > is no one person capable of pushing out changes? I'm > > talking about a > > > system analogous to the nuclear missile keys that require 2 > > people to > > > agree to launch. > > > > > > The scenario here is how would the college protect itself > > from Jason > > > Edgecombe, as a top-level SA, deciding to bring down the entire > > > university infrastruture. > > > > > > CFE doesn't support this directly, but perhaps it could be > > managed via > > > a module. I'm thinking it'd have to be based on two > > different master > > > servers agreeing on a configuration, with discrepencies > > causing CFE to > > > fail into a internal-maintenance-only mode. Assuming that > > each master > > > server has a mutually exclusive set of root users, it'd have to be > > > something that none of them could subvert on their own. > > > > > > Thank you, > > > -Jason Martin > > > > > > > -----Original Message----- > > > > From: > > > > [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] > > > > org] On Behalf Of Mark Burgess > > > > Sent: Thursday, October 13, 2005 7:34 AM > > > > To: Jason Edgecombe > > > > Cc: [email protected] > > > > Subject: Re: Tiered admins with cfengine > > > > > > > > > > > > On Thu, 2005-10-13 at 09:56 -0400, Jason Edgecombe wrote: > > > > > Hi everyone, > > > > > > > > > > I work at a university, and we are currently using > > cfengine in our > > > > > college to manage some linux and Mac machines. In our > > > > college, there are > > > > > two admins including myself who are trusted and have total > > > > control of > > > > > the cfengine config. > > > > > > > > > > Using cfengine has been proposed as being adopted by the entire > > > > > University for Mac administration. My concern is how do we > > > > inherit the > > > > > campus config and only let people in our college modify the > > > > config that > > > > > affects our machines. > > > > > > > > > > For example, I am in the College of Arts & Sciences and > > I can only > > > > > change the cfengine configs for machines in my college. The > > > > college of > > > > > Architecture would only have access to their machines, > > but we both > > > > > inheirt the changes pushed out by central IT. > > > > > I simply want to limit the effects of accidental > > changes made by > > > > > different admins. It's not just newbieness that I'm worried > > > > about. I > > > > > don't have a full understanding of what my changes might do > > > > to another > > > > > college's computers. > > > > > > > > > > Basically, how can we partition the cfengine set up between > > > > > admins, > > > > > but > > > > > still inherit a config from central it? Do we have to > > use different > > > > > cfengine servers for this? > > > > > > > > > > Thanks, > > > > > Jason > > > > > > > > Hi Jason - you don't have to use different cfengine servers > > > > for this, but you could, The way to inherit things is to use > > > > overridable "includes". One way to organize the permissions > > > > is to use CVS or subversion and put the different files in > > > > different projects so that one needs permission to edit them. > > > > > > > > Mark > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > Help-cfengine mailing list > > > > [email protected] > > > > http://lists.gnu.org/mailman/listinfo/help-> cfengine > > > > > > > > > > > > > _______________________________________________ > > > Help-cfengine mailing list > > > [email protected] > > > http://lists.gnu.org/mailman/listinfo/help-cfengine > > > > > > _______________________________________________ > > Help-cfengine mailing list > > [email protected] > > http://lists.gnu.org/mailman/listinfo/help-> cfengine > > _______________________________________________ Help-cfengine mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-cfengine
