New Fedora Infra End User Policy Review

Hi All,
As part of some Infra documentation updates we need to replace the missing Fedora Infra End User Policy. We found a copy of the original document on archive.org and I extracted the End User Policy section. I updated the policy a small amount to replace outdated information and have formatted it into a PDF that can be found here:

How does it look to everyone?

–
Mark Rosenbaum

(PS: More details about this can be found at Issue #306: Updating docs to replace references to the deprecated CSI Project - infra-docs-fpo - Pagure.io)

1. Thank you for taking this on. This is something which has needed updates and review for a long time.
2. I would remove or update Section 3 on further reading. Both are linked to EOL documents and may not be much useful.
3. I think it might be best to convert the document to something like markdown, and then discuss each section in part to see what is updated.

yeah, thanks for looking into this!

So, some of the info there is great and still applies and some… not as much.

I wonder if there’s any more up to date type of document we could just point to (like a NIST standard or something), but that might well be too complex and not really fully apply in our space.

Failing some higher level best practices that meets our needs, I think we should look at just pulling the things that still make sense from here into part of our space in docs.fedoraproject.org (with a note thanking the orig author :).

We could probibly add some things as well. Basically we just want anyone with access to our infra to use common sense (yes, I know that not everyone does and thats why spelling out some items is important).

Some random things I would add:

users SHOULD enroll at least one otp and preferably more than one to have a backup.

users SHOULD keep their personal machines updated to avoid known security issues.

and I am sure there’s lots more (although we should try not to write some kind of exhaustive list here, this is just a ‘best practices’).

related to this I have some docs I really need to finish up that describe things like permissions levels and how we grant access, etc. Perhaps next week I can find time to work on that.

Thanks for doing this. This looks like a good start.

Good suggestions, I’m working on re-sourcing over on the google doc. I was looking into some new NIST and DoD sources(the CUI protection guidelines). I’ll work on converting this all to a MD or another format like that at a bit later point.

I definitely think your right about that but I think we should be taking NIST and/or DoD guidelines into our own doc instead of just fully linking to one of theirs. Their docs can get pretty advanced so I was thinking from taking and condensing some of their guidelines and then maybe linking to them in the source section.

Just wanted to post this update here. Theres been a bit of a change of plans due to an archived copy being found over at https://pagure.io/CSIS/blob/main/f/docbook/security-policy/en-US. I’m going to work on converting that to an asciidoc then work from there on updating the actual documentation.