[Pkg-puppet-devel] Proposed Puppet package changes

Nigel Kersten nigel at explanatorygap.net
Tue Nov 17 18:26:14 UTC 2009


2009/11/17 Andrew Pollock <apollock at debian.org>

> Hi,
>
> Nigel and I are at the Ubuntu Developer Summit this week, as is Luke
> Kanies.
>
> We were having a bit of chat with Mathias Gug from Canonical's Ubuntu
> Server
> team.
>
> Ubuntu is getting all onboard with Puppet integration, and they want to
> move
> Puppet from Universe to Main, but there's a few issues their security team
> has with the Puppet packages as they currently stand.
>
> Specifically:
>
> 1) The Puppet client daemon starts automatically on install
>
> Given this reaches out and talks to a host called "puppet" this was deemed
> as a security issue (Not unreasonably so IMO). Given that a Puppet client
> generally requires some configuration before it's usable, I don't think
> it's
> unreasonable to not try to start Puppet automatically. I was thinking of
> setting START=no in /etc/default/puppet to address this.
>
> 2) Permissions on /var/lib/puppet/state
>
> Upon inspection, I'm not quite sure what the problem is here. The Ubuntu
> modification just explicitly sets the owner and group. I don't have a
> vanilla Ubuntu install handy to compare the ownership of this directory
> with
> what the Debian package creates.
>
> Additionally:
>
> Ubuntu is also shipping the test suite as a separate package, and fixing
> the
> Rakefile so that it's runnable. I think the desire was to be able to run
> the
> test suite on a local installation of Puppet.
>



More information about the Pkg-puppet-devel mailing list