Open Stack

Jeremy Stanley wrote:
> On 2016-03-22 08:23:08 -0500 (-0500), JP Maxwell wrote:
>> If anyone wants to approve this I am still happy to help.
>>
>> https://review.openstack.org/#/c/285641/1
>
> Can you elaborate on how you intend to help which has to be done
> first with root access to the server (rather than merely with the
> assistance of someone with root access)? The commit message on that
> change indicates you just want access to logs files, which I or
> other root sysadmins can certainly provide.
>
> We want to make sure that all modifications are reflected in
> configuration management so that it's reviewed, tracked and
> repeatable, and this is why we generally limit production server
> root access to people who also have the ability to approve
> configuration management changes for the same servers. This service
> is already in a bit of an unfortunate state because years ago we
> were less strict and in a moment of weakness allowed the MW
> deployment/migration to precede the configuration management of that
> deployment (which was subsequently never completed). We need to make
> sure its tenuous situation doesn't regress further.
I think the idea that something bad happened years ago shouldn't 
determine the fate of this service forever more. There is a real issue 
occurring here and none of the current stop gaps have been working. JP's 
proposal is pretty sound and isn't attempting to work around any rules. 
Simply to get to the root of the problem and then submit a patch for 
review. IMO we can't wait another 6 weeks until the summit is over to 
take a second look at this and hope an Ubuntu and MW upgrade fixes the 
issue.
>
>> I don't think you are ever going to be successful at blocking
>> accounts or IPs. You must block the creation of the spam by the
>> bots. IMHO focusing on improving the captcha or understanding the
>> bypass path around the captcha is the best short term path to
>> accomplish this.
>
> I'm pretty sure we have consensus on this already. Blocking accounts
> and manual cleanup are only viewed as a temporary workaround while
> we plan for a safe upgrade to a more recent MW (and as a
> prerequisite, more recent Ubuntu) release so that we can take
> advantage of current access control measures and similar mitigation
> solutions developed by their community in response to escalating
> advancement in defacement and valdalism on Wikipedia and elsewhere.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20160323/b15b2cd2/attachment.html>