Hi all, Thanks for the great feedback so far. One point is still not covered very well. Dennis and I discussed it a bit during lunch, but without solid conclusions.
"How do we certify/qualify a base image endorser?"
This person/entity is endorsing the root part of the image. So the site has to have sufficient trust in the base image endorser to believe that no bad things happen will happen from the VM on the site trusted network. We always claimed that just having VO software manger role is not enough to qualify. So, the next question is: what is enough to qualify and how do we make sure the endorser actually possesses these qualifications? Thanks, Sander
On Apr 22, 2010, at 11:12 AM, Sander Klous wrote:
Hi Dennis, The whole point of the policy is to share images between sites. So, what should the agreement contain from Nikhef perspective? (and what is an NGI?) Thanks, Sander
On Apr 22, 2010, at 10:47 AM, Dennis van Dok wrote:
Op 22-04-10 10:32, Sander Klous schreef:
Hi, One more specific point I need input for before the discussion this afternoon:
We will introduce an endorser for the base and one for the VO software portions. We need to have a discussion about the requirements put on the role of the base image endorser. A simple "site member versus VO member" is not good enough to distinguish trust levels. So the question is: how do we "certify/qualify" a base image endorser?
I suppose it depends on the scope of where the base will be used. If a base image is only going to be used at a single site, a local site admin can have that role. If an image is for distribution within an NGI, there should be agreement within such an organisation to bestow the responsibility.
For VOs we already have a role system in place. But what you probably also want is the audit trail of when a person gained and lost the role, so that this can be matched against the timestamps of actual endorsements.
Dennis