From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev-return-5458-arch-gentoo-dev=gentoo.org@gentoo.org>
Received: (qmail 12818 invoked by uid 1002); 11 Aug 2003 09:22:39 -0000
Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:gentoo-dev@gentoo.org>
List-Help: <mailto:gentoo-dev-help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev-unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-dev-subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@gentoo.org
Received: (qmail 27607 invoked from network); 11 Aug 2003 09:22:39 -0000
Date: Mon, 11 Aug 2003 05:22:06 -0400
From: Kurt Lieber <klieber@gentoo.org>
To: Tavis Ormandy <taviso@gentoo.org>
Cc: gentoo-dev@gentoo.org
Message-ID: <20030811092156.GO1819@mail.lieber.org>
References: <20030810223914.GB27538@sdf.lonestar.org> <20030810232734.GJ1819@mail.lieber.org> <20030811000210.GB8548@sdf.lonestar.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="BuBclajtnfx5hylj"
Content-Disposition: inline
In-Reply-To: <20030811000210.GB8548@sdf.lonestar.org>
X-GPG-Key: http://www.lieber.org/kurtl.pub.gpg
User-Agent: Mutt/1.5.4i
Subject: Re: [gentoo-dev] Finger GLEP
X-Archives-Salt: b6d89697-88a9-4938-85c0-d83610bf4605
X-Archives-Hash: 3d5b18b4877a750001a5297ba94ff587

--BuBclajtnfx5hylj
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Aug 11, 2003 at 12:02:10AM +0000 or thereabouts, Tavis Ormandy wrot=
e:
> > What ensures that the data available via fingerd will be a) complete
> > (meaning how will you ensure all developers participate) and b) up-to-d=
ate?
> > IMO, we need to identify one master source of information and *ensure* =
that
> > is used and kept up-to-date.  If we want to provide multiple avenues to
> > access that info, that's fine, but we need one database, not multiple o=
nes.
>=20
> imho, if all developers just created a ~/.pgpkey the fingerd will be
> worth having (i'll explain below why i think this is the best medium for
> key distribution).=20

You still haven't explained how we will ensure the data are up to date and
complete.  imo, this method of distribution is only useful if there is 100%
participation.  A cornerstone of your argument is that it's easy for the
user to "finger developer@gentoo.org" to get their key.  My point is that's
useless if they can't rely upon *always* being able to get that
information.

> making the keys available via the website is not ideal, getting it into
> a keyring involves a few steps, eg:
>=20
> 1) fire up web browser, navigate to query page
> 2) enter dev name, and then copy and paste key into text
>    or copy and paste url for wget to fetch
> 3) gpg --import < saved_file
> 4) rm saved_file, etc, etc.

Or, you could just do:

wget http://keys.gentoo.org/devname.gpg

which would be trivially easy to set up.  We could even use mod_rewrite to
redirect that to a public keyserver relieving us from having to administer
anything locally.  (see below for why all keys will be on public
keyservers)

> and putting the keys onto keyservers would involve getting users to
> check fingerprints, and distributing those fingerprints (agreed, checks
> should always be made anyway, but in reality i cant see that happening).

Checks need to be mandatory and, afaik, are on the feature list to be built
into Portage.  Thus, keys *will* be on public keyservers and checks *will*
be made.

> making the keys available via finger means it will be simple to get any
> keys into gpg from the command line on one line, eg:
>=20
> $ finger klieber@gentoo.org | gpg --import

or $ wget http://keys.gentoo.org/devname.gpg | gpg --import

My point is there are multiple 'easy' ways of accomplishing this task.
finger is not the only solution.

> Also, should a developer revoke or regenerate a key, they would have to
> contact someone with cvs access to the website to update it, with
> fingerd they can just login (or scp) to dev.g.o and update the key=20
> themselves, which would take effect immediately. I am totally confident=
=20
> this is the simplest and best medium for distributing developer keys.

No, if a dev needs to revoke a key, they need to send out a revocation and
yank it from all the keyservers.  Devs would still be able to do this
outside of cvs using the mod_rewrite example I mentioned above.=20

Again, I am open to considering the idea of running fingerd as an alternate
means of transporting data, but at this point, I am not convinced that
storing things in /home directories is the right/best solution. =20

--kurt

--BuBclajtnfx5hylj
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/N2A0JPpRNiftIEYRAvH7AJwIxK4IHVQLUvtuH1YI6EAHSBZ2RQCfSF6o
Ie1IaxoynG7ae4G7Lcu/PjY=
=dq/P
-----END PGP SIGNATURE-----

--BuBclajtnfx5hylj--