[engineering.redhat.com #319333] Re: [Security] System job to deploy rpms

[Red Hat Product Security]

On Thu Oct 09 00:09:25 2014, sbonazzo at redhat.com wrote:
> Il 08/10/2014 18:18, Red Hat Product Security ha scritto:
> > On Wed Oct 08 08:35:15 2014, sbonazzo at redhat.com wrote:
> >> Il 08/10/2014 12:02, Ohad Basan ha scritto:
> >>> Hello everyone.
> >>>
> >>> I've created a small job (not yet enabled)
> >>> that gets an rpm and then deploys it to the static repo at
> >> resources.ovirt.org
> >>> for this I've sent this patch http://gerrit.ovirt.org/#/c/33863/
> >>> that will add the "resources" user. it will have permissions only
> >> for the static rpms directory and will scp the files to there.
> >>> is it acceptable by everybody security-wise?
> >>>
> >>
> >> Adding security list to the loop.
> >
> > Hi, thanks for this.  I'm a bit confused though.  Is this pertaining
>    to the infrastructure for the oVirt project, or is this code going
>    into the oVirt code itself that is then consumed by downstream
>    users?  I only ask because of the reference to resources.ovirt.org
>    so I'm unsure whether this is a code question or an infrastructure
>    question.
> >
> > Can you please advise?
> 
> It's infrastructure question

Ok, that's what I thought.  Being entirely unfamiliar with the infrastructure it _sounds_ reasonable to me, but this is probably the sort of question that should go to infosec at redhat.com as they deal with our infrastructure security (whereas Product Security just deals with our products' security).  Would you mind reaching out to infosec to ask? 


-- 
Vincent Danen / Red Hat Product Security