From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 11867 invoked by uid 1002); 11 Aug 2003 08:24:41 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 28147 invoked from network); 11 Aug 2003 08:24:41 -0000 Message-ID: <19913.134.188.150.80.1060590280.squirrel@callisto.cs.kun.nl> Date: Mon, 11 Aug 2003 10:24:40 +0200 (CEST) From: "Paul de Vrieze" To: In-Reply-To: <20030811011731.GB3017@time> References: <20030810223914.GB27538@sdf.lonestar.org> <20030811011731.GB3017@time> X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.11) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [gentoo-dev] Finger GLEP X-Archives-Salt: c3a0b8b6-5db1-4131-b32c-be5ead4a0cc3 X-Archives-Hash: e06807fa29eb8579d798f303b3161689 Aron Griffis said: > I really like this idea for the following reasons: > > 1. Information about devs should be sourced from the devs home > directory. It means each dev can maintain their own data, and it > avoids the problem of having a separate area of which devs need to be > aware. Using fingerd automatically meets this "requirement". > There are advantages and disadvantages. For pgp keys I personally believe that this is not the way to go. In case a dev box gets rooted it is very easy for a hacker to update a .gpgkey file, but if we would have an authenticated and automated process changing the key in the ldap database (through an easy to use script) that would increase security a lot while still getting all the data at one place. I think the plan file can indeed be sourced from a .plan file in the homedir. But a gpg in general hardly gets updated, so a bit more formal access is waranted in this case. I believe the choice has been made to centralize the developer database o= n ldap. As such I believe that if we want to provide a finger service it will need to be ldap aware and pull most information from ldap, and/or other sources. For example for projects the current plan is to create project.xml files containing information about the project. Including who is part of the project. There is no final structure yet, but once we do have it, it will be the definite authority on who works on which project. I believe having people maintain seperate information in their homedirs i= s not the way to go as it will lead to incomplete and inaccurate data, and also diminishes the need for developers to keep the definite information up to date. (Yes that means that I think the next version of the develope= r list will be autogenerated) > 2. If we want to make dev information available on the web as well, it > can easily be harvested (once per hour, as somebody mentioned the > website is updated) from the dev's home dirs. > > 3. I agree with Tavis regarding the ease of using finger to lookup > per-developer information such as gpg keys. Using the web is not > quick. > I don't mind the use of finger as the retrieval protocol, but in this cas= e the server probably needs to be updated to get its information from other sources. > > It seems like a good (usable/maintainable/secure) solution to me, and a= s > Tavis has mentioned, it's already in use by a number of major open > source projects. Well, I see the use of finger as a protocol for information retrieval, bu= t I don't think that a standard fingerd will do the job. One way to do things is to have a configuration file somewhere that specifies plugin programs that supply the fingerd with information. What I mean is for example the following: /etc/fingerd/plugins: getplan=3D/usr/gentoo/bin/getplan and "getplan pauldv" would then return my plan (by catting .plan from my home= dir) "getkey pauldv" though would get my key from the ldap server and would output it to fingerd Paul --=20 Paul de Vrieze Researcher Mail: pauldv@cs.kun.nl Homepage: http://www.devrieze.net -- gentoo-dev@gentoo.org mailing list