I've been developing a lot of salt config for myself and I want to start open sourcing it so that I can:
- Ask for public security review - Accept patches - Help people use Qubes a little better, when I think Qubes supports anarchistic praxis and is a force of good in the world I'm worried about the following things: - I lose my security through obscurity, which I don't want to do without the help of at least one non-amateur code reviewer for anything I publish - (and I'm not sure if the economics/incentives work out here such that I should be paying someone to help me with this or not) - I don't want to publish anything security sensitive without code review because I don't want to harm people Additionally, I'm not sure how to package salt config via a .deb package. Are there any existing examples of this? As an example of what I want to publish, I've written some config to create a private debian package repo vm powered by a YAML file that lets you specify sources to download packages (e.g. that are hosted as github releases) and verify them via gpg, then provide them to vms. My motivation is towards the goal of being able to destroy and recreate my templates from salt at any time, because salt is not stateless (unlike e.g. nix or bazel), e.g. if you decide to no longer add a package repo, you have to manually remove it from the domain in addition to updating the salt config, and you may forget; being able to recreate templates solves the otherwise almost intractable problem of knowing your templates aren't out of sync; it also means you can exclude templates from backups if you're brave, which can save a lot of space. Another example of some code I may want to publish: (WARNING: I think this may have a critical security issue of exposing config files to domains they don't belong to, but I'm not sure. Would need to investigate before publishing) This fixes TemplateNotFound errors when you try to jinja-include another file within a `file.managed` `template.jinja` file. > # MAINTAIN: Removed when fixed: https://github.com/saltstack/salt/issues/31531 > 'patch salt issue 31531': > cmd.run: > - name: | > if [[ ! -f "$XDG_DATA_HOME"/patched-salt-31531 ]]; then > cat <<CMD | xargs -0 -- qvm-run --pass-io template-sys || exit 1 > sudo sed -i'' "s#if fn_.strip() and fn_.startswith(path):#if fn_.strip() and > (fn_.startswith(path) or path == '/'):#" > /usr/lib/python3/dist-packages/salt/fileclient.py && \ > if ! grep extra-filerefs /etc/qubes-rpc/qubes.SaltLinuxVM >/dev/null; then > sudo sed -i'' "s#salt-ssh#salt-ssh --extra-filerefs salt:///#" > /etc/qubes-rpc/qubes.SaltLinuxVM; fi > CMD > fi > sudo mkdir -p "$XDG_DATA_HOME" || exit 1 > sudo touch "$XDG_DATA_HOME"/patched-salt-31531 || exit 1 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/NTmFFT8PX6ISKTuoQoqTiNW-F2DglyltdvA9x8wO347GSSL_I4S-c74Mbov1E4USGtpiWIpH39AZ-6lT3zzA9Uym9nxrRtGKGl8t_YsP3oE%3D%40protonmail.com.
