On Mon, Aug 11, 2003 at 12:02:10AM +0000 or thereabouts, Tavis Ormandy wrote: > > What ensures that the data available via fingerd will be a) complete > > (meaning how will you ensure all developers participate) and b) up-to-date? > > IMO, we need to identify one master source of information and *ensure* that > > is used and kept up-to-date. If we want to provide multiple avenues to > > access that info, that's fine, but we need one database, not multiple ones. > > imho, if all developers just created a ~/.pgpkey the fingerd will be > worth having (i'll explain below why i think this is the best medium for > key distribution). You still haven't explained how we will ensure the data are up to date and complete. imo, this method of distribution is only useful if there is 100% participation. A cornerstone of your argument is that it's easy for the user to "finger developer@gentoo.org" to get their key. My point is that's useless if they can't rely upon *always* being able to get that information. > making the keys available via the website is not ideal, getting it into > a keyring involves a few steps, eg: > > 1) fire up web browser, navigate to query page > 2) enter dev name, and then copy and paste key into text > or copy and paste url for wget to fetch > 3) gpg --import < saved_file > 4) rm saved_file, etc, etc. Or, you could just do: wget http://keys.gentoo.org/devname.gpg which would be trivially easy to set up. We could even use mod_rewrite to redirect that to a public keyserver relieving us from having to administer anything locally. (see below for why all keys will be on public keyservers) > and putting the keys onto keyservers would involve getting users to > check fingerprints, and distributing those fingerprints (agreed, checks > should always be made anyway, but in reality i cant see that happening). Checks need to be mandatory and, afaik, are on the feature list to be built into Portage. Thus, keys *will* be on public keyservers and checks *will* be made. > making the keys available via finger means it will be simple to get any > keys into gpg from the command line on one line, eg: > > $ finger klieber@gentoo.org | gpg --import or $ wget http://keys.gentoo.org/devname.gpg | gpg --import My point is there are multiple 'easy' ways of accomplishing this task. finger is not the only solution. > Also, should a developer revoke or regenerate a key, they would have to > contact someone with cvs access to the website to update it, with > fingerd they can just login (or scp) to dev.g.o and update the key > themselves, which would take effect immediately. I am totally confident > this is the simplest and best medium for distributing developer keys. No, if a dev needs to revoke a key, they need to send out a revocation and yank it from all the keyservers. Devs would still be able to do this outside of cvs using the mod_rewrite example I mentioned above. Again, I am open to considering the idea of running fingerd as an alternate means of transporting data, but at this point, I am not convinced that storing things in /home directories is the right/best solution. --kurt