From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 12818 invoked by uid 1002); 11 Aug 2003 09:22:39 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 27607 invoked from network); 11 Aug 2003 09:22:39 -0000 Date: Mon, 11 Aug 2003 05:22:06 -0400 From: Kurt Lieber To: Tavis Ormandy Cc: gentoo-dev@gentoo.org Message-ID: <20030811092156.GO1819@mail.lieber.org> References: <20030810223914.GB27538@sdf.lonestar.org> <20030810232734.GJ1819@mail.lieber.org> <20030811000210.GB8548@sdf.lonestar.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="BuBclajtnfx5hylj" Content-Disposition: inline In-Reply-To: <20030811000210.GB8548@sdf.lonestar.org> X-GPG-Key: http://www.lieber.org/kurtl.pub.gpg User-Agent: Mutt/1.5.4i Subject: Re: [gentoo-dev] Finger GLEP X-Archives-Salt: b6d89697-88a9-4938-85c0-d83610bf4605 X-Archives-Hash: 3d5b18b4877a750001a5297ba94ff587 --BuBclajtnfx5hylj Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 11, 2003 at 12:02:10AM +0000 or thereabouts, Tavis Ormandy wrot= e: > > What ensures that the data available via fingerd will be a) complete > > (meaning how will you ensure all developers participate) and b) up-to-d= ate? > > IMO, we need to identify one master source of information and *ensure* = that > > is used and kept up-to-date. If we want to provide multiple avenues to > > access that info, that's fine, but we need one database, not multiple o= nes. >=20 > imho, if all developers just created a ~/.pgpkey the fingerd will be > worth having (i'll explain below why i think this is the best medium for > key distribution).=20 You still haven't explained how we will ensure the data are up to date and complete. imo, this method of distribution is only useful if there is 100% participation. A cornerstone of your argument is that it's easy for the user to "finger developer@gentoo.org" to get their key. My point is that's useless if they can't rely upon *always* being able to get that information. > making the keys available via the website is not ideal, getting it into > a keyring involves a few steps, eg: >=20 > 1) fire up web browser, navigate to query page > 2) enter dev name, and then copy and paste key into text > or copy and paste url for wget to fetch > 3) gpg --import < saved_file > 4) rm saved_file, etc, etc. Or, you could just do: wget http://keys.gentoo.org/devname.gpg which would be trivially easy to set up. We could even use mod_rewrite to redirect that to a public keyserver relieving us from having to administer anything locally. (see below for why all keys will be on public keyservers) > and putting the keys onto keyservers would involve getting users to > check fingerprints, and distributing those fingerprints (agreed, checks > should always be made anyway, but in reality i cant see that happening). Checks need to be mandatory and, afaik, are on the feature list to be built into Portage. Thus, keys *will* be on public keyservers and checks *will* be made. > making the keys available via finger means it will be simple to get any > keys into gpg from the command line on one line, eg: >=20 > $ finger klieber@gentoo.org | gpg --import or $ wget http://keys.gentoo.org/devname.gpg | gpg --import My point is there are multiple 'easy' ways of accomplishing this task. finger is not the only solution. > Also, should a developer revoke or regenerate a key, they would have to > contact someone with cvs access to the website to update it, with > fingerd they can just login (or scp) to dev.g.o and update the key=20 > themselves, which would take effect immediately. I am totally confident= =20 > this is the simplest and best medium for distributing developer keys. No, if a dev needs to revoke a key, they need to send out a revocation and yank it from all the keyservers. Devs would still be able to do this outside of cvs using the mod_rewrite example I mentioned above.=20 Again, I am open to considering the idea of running fingerd as an alternate means of transporting data, but at this point, I am not convinced that storing things in /home directories is the right/best solution. =20 --kurt --BuBclajtnfx5hylj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/N2A0JPpRNiftIEYRAvH7AJwIxK4IHVQLUvtuH1YI6EAHSBZ2RQCfSF6o Ie1IaxoynG7ae4G7Lcu/PjY= =dq/P -----END PGP SIGNATURE----- --BuBclajtnfx5hylj--