]] Yves-Alexis Perez > You don't speak at all of the virtualization solution. Afair xen is > currently already used on part of the infrastructure. Is it the > preferred choice? Did you consider the use of containers / “lightweight > virtualization”?
We're mostly using KVM nowadays and I think we're likely to continue down that path. Containers are interesting, but, from my very cursory exploration of them, they are where full VMs were a few years back and probably need a bit more maturing. > > User and Group Management > > ========================= > > > > Debian has, approximately, 50 000 shell accounts [4]. We believe most > > of these are unused and would therefore like to disable those that are. > > The goal is to reduce the our exposure and not to take away anybody's > > privileges. We will monitor shell account activity in order to identify > > and disable shell accounts that have been unused for a significant > > amount of time (months). We will extend ud-ldap to allow users to > > easily and quickly re-enable their shell accounts. > > So that means something like a signed mail based “shell-knocking”? DD > would need to send a gpg-signed mail to (re)enable a shell on a chosen > machine before he can use it? That's one possible way, we might also make it available on the LDAP update web form. The exact details have not been worked out. > > Similarly, there is currently no mechanism which ensures that people > > only have the group memberships which they are using. We would like to > > implement a system which will require users to periodically confirm > > their group memberships. Like the shell accounts, the goal is to reduce > > our exposure, not to take away anybody's privileges. > > Shouldn't the various teams handling the group take care of managing > them? Do they currently fail at that? I think we can say that yes, they generally fail at asking for people to be removed from groups. I'm still a member of webwml even though I don't think I've committed anything there since 2007 or so. I'm also apparently a qa member, though I can't even remember asking to be put in the group. :-) (Not picking on those two groups specifically, I'm just using myself as an example here.) > Regards, and again thank you for all the work! :-) -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
