* Martin, Jason H <[EMAIL PROTECTED]>
> Along the same lines, has anyone implemented a system such that there
> is no one person capable of pushing out changes? I'm talking about a
> system analogous to the nuclear missile keys that require 2 people to
> agree to launch.
One approach would be to store all the configuration under CVS, then use
a taginfo script to restrict who can apply tags to a file[1]. This way,
anyone with CVS rights could commit files, but only certain people would
have tag rights. CFEngine would then pull from CVS only files with a
certain tag set[2].
Some extra logic in the taginfo script might ensure the same person
could not both commit and tag the file, though I have not looked at how
hard this would be. Linking all this to an approval ticket system for
SOX compliance would be even more fun...
[1] CVSPermissions is close, but uses the directory permissions for tag
rights as well: http://sarovar.org/projects/cvspermissions
[2] stage-from-cvs is one method: http://sial.org/howto/cvs-tips/#s4
_______________________________________________
Help-cfengine mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/help-cfengine
