[Pkg-puppet-devel] Proposed Puppet package changes

Andrew Pollock apollock at debian.org
Tue Nov 17 17:39:59 UTC 2009


Hi,

Nigel and I are at the Ubuntu Developer Summit this week, as is Luke Kanies.

We were having a bit of chat with Mathias Gug from Canonical's Ubuntu Server
team.

Ubuntu is getting all onboard with Puppet integration, and they want to move
Puppet from Universe to Main, but there's a few issues their security team
has with the Puppet packages as they currently stand.

Specifically:

1) The Puppet client daemon starts automatically on install

Given this reaches out and talks to a host called "puppet" this was deemed
as a security issue (Not unreasonably so IMO). Given that a Puppet client
generally requires some configuration before it's usable, I don't think it's
unreasonable to not try to start Puppet automatically. I was thinking of
setting START=no in /etc/default/puppet to address this.

2) Permissions on /var/lib/puppet/state

Upon inspection, I'm not quite sure what the problem is here. The Ubuntu
modification just explicitly sets the owner and group. I don't have a
vanilla Ubuntu install handy to compare the ownership of this directory with
what the Debian package creates.

Additionally:

Ubuntu is also shipping the test suite as a separate package, and fixing the
Rakefile so that it's runnable. I think the desire was to be able to run the
test suite on a local installation of Puppet.

I thought we could roll all of these in with the package splitting that Stig
was proposing to do.

Unrelated, Luke seemed to think that Puppet 1.0 would be out within the
timeframe that Ubuntu 10.04 is going to feature freeze. Whether we want to
race to ship that in Debian and Ubuntu within that timeframe is another
question though...

regards

Andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/attachments/20091118/b6a902d0/attachment.pgp>


More information about the Pkg-puppet-devel mailing list