From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 12135 invoked by uid 1002); 11 Aug 2003 00:02:12 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 18240 invoked from network); 11 Aug 2003 00:02:12 -0000 Date: Mon, 11 Aug 2003 00:02:10 +0000 From: Tavis Ormandy To: Kurt Lieber Cc: gentoo-dev@gentoo.org Message-ID: <20030811000210.GB8548@sdf.lonestar.org> References: <20030810223914.GB27538@sdf.lonestar.org> <20030810232734.GJ1819@mail.lieber.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030810232734.GJ1819@mail.lieber.org> User-Agent: Mutt/1.5.3i Subject: Re: [gentoo-dev] Finger GLEP X-Archives-Salt: e7498ecb-f324-46a5-91b0-444c34375532 X-Archives-Hash: e25c2e0dab8177e1d020e01da4a4e13a On Sun, Aug 10, 2003 at 07:27:37PM -0400, Kurt Lieber wrote: > OK, I guess this one is an infrastructure GLEP to approve/reject. I'd also > like to get input from seemant as the devrel manager. > > I have security concerns about running fingerd, but I can see how the > benefits outweigh the risks in this case. I thought some people might, im not sure what the specific issues you have are, but I know that a lot of people have had the "finger == bad" hammered into them, partly due to the information leakage, and partly as some of the early (pre 1980s) implementations were famously poor. I'm confident it is totally secure to use fingerd, and i included the list of famous sites using fingerd as precedent...but i understand it still makes some admins nervous :) > However, there are still several > areas that I don't see being addressed by this GLEP: > > 1) We already suffer from what I call "information sprawl" right now, > meaning we have the same information spread out across multiple places, > with no one place being the "master repository". The net result of this is > that users have to hunt through multiple repositories to try to find out > which one the developer chose to use for their particular query. agreed, but i think the specific type of information that would be kept in .plans is not available in any easy form right now, i guess tracking cvs commits and searching through usernames with bugzilla is the closest way you can get to an activity report, which is just not practical for most users, and even developers in a rush would probably not bother. > What ensures that the data available via fingerd will be a) complete > (meaning how will you ensure all developers participate) and b) up-to-date? > IMO, we need to identify one master source of information and *ensure* that > is used and kept up-to-date. If we want to provide multiple avenues to > access that info, that's fine, but we need one database, not multiple ones. > imho, if all developers just created a ~/.pgpkey the fingerd will be worth having (i'll explain below why i think this is the best medium for key distribution). In the implementations i have seen, people have always kept their .plans reasonably up to date, its an easy way to keep people notified of things that they are working on (or an in depth description of their responsibilities, etc) and if the finger daemon was well known about (mentioned in gwn, for example) it will give users a chance to check for updates before firing off an email. > 2) Tangental to the issue above, we've already talked about placing things > like GPG keys on the web site in XML format and pulling the other info (dev > name, location, projects, etc.) in via XML as well. Why is the fingerd > solution a better one? Items on the web site are updated hourly. I can't > think of too many cases where that type of freshness isn't timely enough. > > --kurt Yep, i suggested a fingerd at the time. imho, its the best way for distributing keys. making the keys available via the website is not ideal, getting it into a keyring involves a few steps, eg: 1) fire up web browser, navigate to query page 2) enter dev name, and then copy and paste key into text or copy and paste url for wget to fetch 3) gpg --import < saved_file 4) rm saved_file, etc, etc. and putting the keys onto keyservers would involve getting users to check fingerprints, and distributing those fingerprints (agreed, checks should always be made anyway, but in reality i cant see that happening). making the keys available via finger means it will be simple to get any keys into gpg from the command line on one line, eg: $ finger klieber@gentoo.org | gpg --import the user can be confident the key is really yours, and only one basic command is required (you can test this with my key, my address is in my .sig). Also, should a developer revoke or regenerate a key, they would have to contact someone with cvs access to the website to update it, with fingerd they can just login (or scp) to dev.g.o and update the key themselves, which would take effect immediately. I am totally confident this is the simplest and best medium for distributing developer keys. Thanks, Tavis. -- ------------------------------------- taviso@sdf.lonestar.org | finger me for my gpg key. ------------------------------------------------------- -- gentoo-dev@gentoo.org mailing list