How to go about building up trust?

Robert Middleswarth robert at middleswarth.net
Fri Jun 22 16:17:01 UTC 2012 

On 06/22/2012 08:45 AM, Dan Kenigsberg wrote:
> On Thu, Jun 21, 2012 at 05:00:31PM -0400, Robert Middleswarth wrote:
>> Sorry I forgot to include the subject line?
>>
>> On 06/21/2012 04:57 PM, Robert Middleswarth wrote:
>>> A few months ago It was asked on infra@ about how the group should
>>> go about building up trust so you all would feel comfortable
>>> handing out e.g. ssh and sudo access to servers. Since there is
>>> someone activity (me) asking seeking to help and would need that
>>> access I guess this is a good time to bring up the question again.
> I am not aware of any other trick beyond building up reputation. Your
> personal involvement in the project goes a long way to prove that you
> indeed care for it.
Agreed there is some subjective aspects to it.
> However, I do not know to quantify how much reputation would one need to
> get a root access, a permission that is very easy to abuse and very hard
> to take away.
I agree as well.
> Another important issue beyond trust is NEED. Do you really need full su
> access? I personally do not have such an access, and have to ask
> for every little host tweak specifically.
>
> Dan.
Well that is a good question.  I have the same issue in my company were 
we know the people.  We have to balance access and need.  Some times 
that need lets someone have root access to a certain system but most of 
the time we just put the pieces together.

 From my understanding there are 3 core servers and a few Jenkins slaves 
involved right now.  The webserver/listserver/wiki/kitchen sink box, 
Gerrit, and Jenkins.  So access to one server gives you access to just 
about everything.  So you are right root access shouldn't be given to 
just anyone.  But the current team of people who have access aren't 
doing it full time and I wouldn't expect the project to have people 
doing it full time.  The question is and it was purposed by quaid once 
you have someone that you feel has the reputation to be given access 
what kind of process should they go though.  Not saying I have hit that 
stage yet.  I would assume at a min we would need to confirm they 
exist.  Example have a phone and a mailing address so we are sure we 
have legit person not someone pretending to be someone else.  Do we 
require a face to face with an existing member to show a Driver 
License?  It is the old web of trust question.  How do you trust someone 
on the Internet.  Answer you don't unless you verify them off-line in 
some way.

Thanks
Robert

More information about the Infra mailing list