From eugen@leitl.org Sun Sep 8 12:49:07 2013 From: Eugen Leitl To: cypherpunks@lists.cpunks.org Subject: [linux-elitists] Congruent Infrastructure (was: Re: Surveillance) Date: Sun, 08 Sep 2013 18:49:03 +0200 Message-ID: <20130908164903.GK29404@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5686778915105450762==" --===============5686778915105450762== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable ----- Forwarded message from Andy Bennett ----- Date: Sun, 08 Sep 2013 17:14:01 +0100 From: Andy Bennett To: Marc MERLIN Cc: linux-elitists(a)zgp.org Subject: [linux-elitists] Congruent Infrastructure (was: Re: Surveillance) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20130116 Icedov= e/10.0.12 Hi, >> Which means I need to set up that build the source >> package and check that the binaries match thing. >> Anyone doing this already for your favorite >> distribution? > =20 > I did that at google for our distribution that runs in production, > well more specifically we don't run upstream binaries at all. We've > re-bootstrapped our own distribution, maintain and compile our own openssl, > openssh and so forth. >=20 > We also have mostly binary invariant builds, and yes that was work, we had > to patch stuff for sure. > However, that process didn't tell us if the upstream binaries were the same > because we modified most of our source to be leaner and compiled differently > than upstream. > Home page: http://marc.merlins.org/ I notice you did this: http://marc.merlins.org/linux/talks/getupdates/ I'd be very interested in your views on things such as Puppet or Chef: I myself have been very skeptical of them. Some of the issues are outlined in this blog post (not by me): http://blog.thestateofme.com/2013/04/30/an-adventure-with-chef/ It seems that all the evangelists for such things have never heard of things like MIT Athena and http://www.infrastructures.org/ and don't seem to know much about the underlying theory. infrastructures.org describes a system similar to the one in your slides, albeit using slightly older technology. I'd be interested in your thoughts on "congruent infrastructure management" especially around the issues of avoiding divergence, proving convergence and recovery from failure that doesn't involve wiping the machine. Regards, @ndy --=20 andyjpb(a)ashurst.eu.org http://www.ashurst.eu.org/ 0x7EBA75FF _______________________________________________ Do not Cc: anyone else on mail sent to this list. The list server is set for= maximum one recipient. linux-elitists mailing list linux-elitists(a)zgp.org http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists ----- End forwarded message ----- --=20 Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 --===============5686778915105450762==--