Darren J Moffat wrote: > On 06/24/11 13:18, James Carlson wrote: >> Those sound like very good goals to me. The proposal described doesn't >> seem to allow that degree of separation, though. Is discrimination >> based on package category (DB versus OS) or rather administrative >> authority something that would be added later? > > If we really want that strict separation then one possible way to do it > with pkg is that have separate images for the DB and the OS. If the DB > needs to depend on OS packages the it might be possible to use linked > images. Here the DB would be a "user" or "partial" image not the > "system image". > > We could then consider using the object part of the authorisation > (similar to how it is used in zone delegation) to indicate the image. > That way people who are DB installation admins get solaris.pkg.*/dbimage > and people who are OS admins get solaris.pkg.*/system. I don't think > we have a naming scheme for images as yet.
OK. > In this case if a DB needs an updated OS package the OS admin has to do > his job first. Maybe. I think things can get a little tricky here. It's not unusual for DBs (in particular; I have way too much experience with them now) to be unsupported on newer OS releases, meaning that either the OS admin needs to be restrained in what he does or that you force the two of them to sit down together and do a single upgrade at once. > I'd rather leave that until linked images and user images have developed > a bit more. I think the original proposal provides enough value on its > own and it is mostly targeted at the system image anyway. Sure. I was just pointing out that original proposal seems almost too obvious to review. ;-} -- James Carlson 42.703N 71.076W <[email protected]> _______________________________________________ security-discuss mailing list [email protected]
