I am transitioning our mac environment onto another network and have to get all software re-approved. Being that there is no vendor/support for Autopkg I am receiving some resistance on it. Can I get a show of hands of everyone who uses it/has it approved for use? I’d like to present a list of agencies currently utilizing it as validation. Of particular use would be federal agencies. Feel free to contact me directly if you don't want to put that information here. paul.dickson at nbacc.dhs.gov.
Question
Autopkg users, show of hands.
+9
+15Federal agency checking in here.
That being said, I suspect that my ITSec issue would not approve, if they knew the details. I'm working towards setting up an internal .git repository to use as our AutoPKG repository and copying over the recipes we use.
+1We are also looking at using Autopkg, but there are some security concerns to take into account. For example, there isn't currently a way to tell if a recipe author is doing anything bad with their recipe, other than auditing the recipe manually and understanding what the recipe does. The recommended way to handle this is to set up up a workflow where each recipe you use has a corresponding override with trust settings. If the recipe changes, it will throw an error so you can audit the parent recipe again and update the trust settings. You can find more about that workflow here:
https://github.com/autopkg/autopkg/wiki/Autopkg-and-recipe-parent-trust-info
Note that these options are a feature of Autopkg 1.0, which is currently in prerelease (the current release is 0.6).
+14Until patch management is ready, this is a no brainer. But yes, some validation is required since evil recipes are possible.
+151.0 has been released today.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.