[fdo] Respository vandalism by root at ...fd.o

Tollef Fog Heen tfheen at err.no
Tue Nov 23 23:10:25 PST 2010


Hi,

Dave, thanks for the Cc.  I've Cc-ed this to freedesktop@, since it's
really a bit more of a project-wide discussion than just xorg, but feel
free to keep both in Cc.

]] Frans de Boer

| Also, if it turns out to be a validated claim Adam made, accept it as
| is and continue. Hopefully Adam has learned his lesson. But also
| Freedesktop.org should have it's act together. Do check the access
| rights and allow only trusted persons root access. Hopefully Adam was
| NOT one of them they trusted explicitly and he has only access due to
| historical reasons.

People are people and sometimes do stupid things and things the
reret. What Adam did was stupid and wrong, but it was also out of
character for him.  There was no reason whatsoever not to let him have
root access before.

]] Dave Airlie

| Yes, and not sure about the rest. Freedesktop isn't some sort of paid
| organisation here, you have a group of volunteers running some
| machines tied together with a lot of bailing twine. It only recently
| through the good graces of Collabora that fd.o got some paid
| administration time directed at it at all (Tollef). Like we could
| migrate all the stuff to machines that X.org control but we'd end up
| with the same problems + another set of problems.

The main problem fdo is facing on the admin side those days is a lack of
resources more than anything, and we don't want to trust completely
random people to have root.  Those we trust enough to have root are
usually quite busy already.  That said, I'm hoping to make the admin
burden slightly lighter by doing two things.  Please note that these are
my ideas, they're not set in stone and while I think I have the
consensus of the rest of the active fdo admins, nothing has formally
been decided yet.

- Kick out inactive admins and bring new ones on board.  I'm not going
  to take away root from anybody who uses it and needs it, but for
  people who just have root for historical reasons and haven't done
  anything with it for months or years, I'd like to remove it.

- Split account administration and root.  We already use ud-ldap and we
  do have one account admin that's not root, so this is already
  feasible, and if some of the existing root users basically only do
  account management, I'd like to move those people off root and just
  get them account management rights.

Over time, I'm slightly hoping we can split this even further out so
trusted people can do git repository management for their own project
without having to involve an admin for the easy regular tasks.  If
anybody wants to be involved in this (and over time, more involved in
fdo admin work), I'd love to get help, particularly with moving towards
some of the ideas in
http://err.no/personal/blog/tech/2010-03-27-15-55_why_you_should_publish_your_infrastructure

| Adam still does a lot of a/c maintenance for X.org and other projects,
| these will now be have to be done by part-time admin which means even
| longer delays on new a/cs. There is a major fd.o overhaul in the works
| and maybe Tollef can provide some insight into it when he has time.

Some of the items are listed above, in addition we're in the middle of
acquiring new machines which should allow things like better spam
filtering and generally better performance.

Regards,
-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are


More information about the freedesktop mailing list