bertagaz@??? wrote (28 Sep 2013 09:22:16 GMT) :
> This change goes together with two changes in our puppet modules:
> A new one has been created to deploy the gnupg keyring in our autobuilder
> VM on lizard, and has been reviewed already by intrigeri.
I've had a look to the newest changes that I hadn't reviewed yet.
I think commit 433fa5cf ("Move the /mnt/crypt mount operation in
a more appropriate place") in lizard's Puppet manifests, and the
corresponding commit 2b71c6c6 in tails_secrets_jenkins, are a mistake,
and can be dangerous in the future.
Let me explain why.
This dummy mount really belongs to an individual node's manifest.
This declaration is the only way a sysadmin deploying the
tails_secrets_jenkins module can state that they have taken care of
the storage security pre-requisites of that module. This statement
unblocks the deployment of the module.
Moving this dummy mount into tails_secrets_jenkins really means
"pretend my storage security pre-requisites are satisfied, regardless
of where and how I'm deployed", which kinda defeats the purpose of
having any such safe-guard in place.
Please revert both commits. A nicer solution has to be found.
I'm happy to help a bit, but for this I need more information than "If
not it seems to raise a chicken and egg problem" :)
I'm thus re-opening #6266.
> Ticket : #6268 - Adapt the Jenkins artifacts rotation script
ACK, marking as resolved!
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
