public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
From: Tavis Ormandy <taviso@gentoo.org>
To: Kurt Lieber <klieber@gentoo.org>
Cc: gentoo-dev@gentoo.org
Subject: Re: [gentoo-dev] Finger GLEP
Date: Mon, 11 Aug 2003 11:35:19 +0000	[thread overview]
Message-ID: <20030811113518.GA29154@sdf.lonestar.org> (raw)
In-Reply-To: <20030811092156.GO1819@mail.lieber.org>

On Mon, Aug 11, 2003 at 05:22:06AM -0400, Kurt Lieber wrote:
> On Mon, Aug 11, 2003 at 12:02:10AM +0000 or thereabouts, Tavis Ormandy wrote:
> > 
> > imho, if all developers just created a ~/.pgpkey the fingerd will be
> > worth having (i'll explain below why i think this is the best medium for
> > key distribution). 
> 
> You still haven't explained how we will ensure the data are up to date and
> complete.  imo, this method of distribution is only useful if there is 100%
> participation.  A cornerstone of your argument is that it's easy for the
> user to "finger developer@gentoo.org" to get their key.  My point is that's
> useless if they can't rely upon *always* being able to get that
> information.
> 

Well, however you choose to distribute keys theres the problem of
getting everybody to create one..thats hardly a huge issue, and the
problem exists for every method of distribution..using a keys.gentoo.org
webserver is still "rendered useless" if you cant get everybody to
generate and upload a key, how do you propose to deal with that?

imho, even if for some reason a developer decides not to upload a key,
the finger daemon will still provide information like last time mail was
received, last login, etc...still useful in my opinion.

> which would be trivially easy to set up.  We could even use mod_rewrite to
> redirect that to a public keyserver relieving us from having to administer
> anything locally.  (see below for why all keys will be on public
> keyservers)
> 

sure, im not disputing its possible, but distributing keys via http is
ugly imho.

> Checks need to be mandatory and, afaik, are on the feature list to be built
> into Portage.  Thus, keys *will* be on public keyservers and checks *will*
> be made.
> 

of course, but people will still want and need to add developer keys to
their personal keyrings. 

> > making the keys available via finger means it will be simple to get any
> > keys into gpg from the command line on one line, eg:
> > 
> > $ finger klieber@gentoo.org | gpg --import
> 
> or $ wget http://keys.gentoo.org/devname.gpg | gpg --import
> 
> My point is there are multiple 'easy' ways of accomplishing this task.
> finger is not the only solution.
> 

well, more like 

	$ wget -O - -q http://keys.gentoo.org/devname.gpg | gpg --import

and good luck getting people to remember that. surely you can
agree that accessing the key via finger (especially as the request is in
the form of an email address) is a much more elegant solution?

> Again, I am open to considering the idea of running fingerd as an alternate
> means of transporting data, but at this point, I am not convinced that
> storing things in /home directories is the right/best solution.  
> 
> --kurt

none of the issues apply solely to my solution, and im certain the
benefits outweigh the drawbacks.

-- 
-------------------------------------
taviso@sdf.lonestar.org | finger me for my gpg key.
-------------------------------------------------------

--
gentoo-dev@gentoo.org mailing list


  reply	other threads:[~2003-08-11 11:35 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-08-10 22:39 [gentoo-dev] Finger GLEP Tavis Ormandy
2003-08-10 23:27 ` Kurt Lieber
2003-08-10 23:36   ` Seemant Kulleen
2003-08-11  0:17     ` Tavis Ormandy
2003-08-11  0:57       ` Spider
2003-08-11  0:02   ` Tavis Ormandy
2003-08-11  9:22     ` Kurt Lieber
2003-08-11 11:35       ` Tavis Ormandy [this message]
2003-08-11 12:37         ` Paul de Vrieze
2003-08-11 12:59           ` Tavis Ormandy
2003-08-11 13:33         ` Kurt Lieber
2003-08-11 14:01           ` Tavis Ormandy
2003-08-11  0:03   ` Grant Goodyear
2003-08-11  8:05   ` Paul de Vrieze
2003-08-11  1:17 ` Aron Griffis
2003-08-11  8:24   ` Paul de Vrieze
2003-08-11 12:09     ` Tavis Ormandy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030811113518.GA29154@sdf.lonestar.org \
    --to=taviso@gentoo.org \
    --cc=gentoo-dev@gentoo.org \
    --cc=klieber@gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox