Issue #1154 has been updated by luke. Status changed from Needs design decision to Accepted Affected version set to 0.24.4
I'll accept this as a general goal, but there's obviously a ton of design work necessary before anything like this is actually feasible. At the least, you need a clean differentiation between the manifests that the server uses to compile the catalogs, and the compiled catalogs themselves. ---------------------------------------- Feature #1154: Allow signed manifests to eliminate single point of compromise http://projects.reductivelabs.com/issues/show/1154 Author: jgoldschrafe Status: Accepted Priority: Normal Assigned to: community Category: newfeature Target version: Complexity: Unknown Patch: None Affected version: 0.24.4 Keywords: Puppet, like all configuration management systems, suffers from the possibility of being a single point of compromise, allowing arbitrary instructions to be run on all hosts accessing the Puppetmaster if a malicious manifest is crafted. Since the goal of Puppet more or less necessitates Puppet running as root on client systems, the amount of damage capable of being inflicted on client nodes is virtually limitless, and some optional extra precautions should be provided in order to limit the damage capable of being caused by a single rooted Puppetmaster. Signed manifests appear to be the easiest and most intuitive way to accomplish this. Like GPG-signed packages, they ensure that Puppet manifests have come from an authenticated source. By verifying the signature on manifests coming from the server, clients may verify that packages have been approved by the organization owning the Puppet server. ---------------------------------------- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
