[Demi-devel] Screen shots

Andrew Pollock apollock@debian.org
Tue, 8 Mar 2005 08:12:29 +1100 

On Mon, Mar 07, 2005 at 03:50:34PM -0500, John Morrissey wrote:
> On Tue, Mar 08, 2005 at 07:30:12AM +1100, Andrew Pollock wrote:
> > Hmm. I was trying to make the client requirements as lightweight as
> > possible, which is why I was pulling the /var/lib/dpkg/status file via
> > SSH. No new holes to poke in firewalls, excrypted channel with strong
> > authentication for little extra effort.
> 
> An SSH transport is on my todo list, but I figured it'd be quicker to
> initially use the python-apt bindings instead of parsing
> /var/lib/dpkg/status by hand. I could argue either way; SSH giving free
> encryption and authentication, XML-RPC giving a well-defined interface and
> avoiding remote root access (unless you invoke a setuid wrapper, or limit
> remote root access with a command-limited public key, but I'm getting back
> into arguing either way again). Ultimately, I suppose it'll be up to end
> user preference.

What I had in mind wouldn't require remote root access. I wasn't planning on
having a daemon per-se on the clients at all, just a non-privileged account.
Anyone can read /var/lib/dpkg/status, so we'd have a "demi" account, which
the central server uses to SSH in and retrieve the status file, as well as
upload new .debs to. A cron job could then check for the presence of a
command file telling it what to do.
 
> > So the client would do an apt-get? The scenario that made me want to build
> > this in the first place was one where the clients didn't have external
> > access, only the central server in the management zone, so the management
> > server would suck down the packages and push them out to the client.
> 
> Eventually it could support pushing packages to clients; in the short-term,
> having clients fetch packages themselves will probably get the code working
> quicker. The only major difference is placing the package (plus
> dependencies) in /var/cache/apt/archives/ so it's already downloaded on the
> client. I admit I'm biased on this, since our machines have access to a
> local mirror.
> 

Well that's not a lot different to using cron-apt on the client, with a
pretty web interface showing central version levels (which isn't a bad thing
I might add).

regards

Andrew

-- 
linux.conf.au 2005   -  http://linux.conf.au/  -  Birthplace of Tux
April 18th to 23rd   -  http://linux.conf.au/  -       LINUX
Canberra, Australia  -  http://linux.conf.au/  -    Get bitten!