Issue #20729 has been updated by Andrew Parker. File CatalogBundles.txt added Status changed from Unreviewed to Accepted
I've had similar thoughts and came to a similar conclusion as Peter. I've actually started (but haven't worked on for a little while) an idea that I was calling catalog bundles. The basic premise was to create an artifact that contained "all" (as close as possible) of the information needed to apply a catalog. That would be the plugins, the files, the catalog itself. I hacked together a POC in a branch in my puppet fork, but I think it might be in a non-working state right now. * Draft proposal: <https://github.com/zaphod42/armatures/tree/master/arm-draft.catalog_bundles> * Spike of bundles: <https://github.com/zaphod42/puppet/tree/pared_down_puppet> * Updated proposal that takes the idea a bit further: attached ---------------------------------------- Feature #20729: Have a way to sign the catalog offline so the puppetmaster server doesn't have to be trusted https://projects.puppetlabs.com/issues/20729#change-91674 * Author: Pedro CĂ´rte-Real * Status: Accepted * Priority: Normal * Assignee: * Category: * Target version: * Affected Puppet version: * Keywords: * Branch: ---------------------------------------- As I was reviewing the security of my servers I realized that gaining root on the puppetmaster means gaining root everywhere as you can push whatever configuration you want to another server. It would be great if all the puppet resources served by the puppetmaster were signed by a private key that the puppetmaster doesn't hold so that the clients could check that key and not have to trust the puppetmaster. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
