From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10547 invoked by uid 1002); 11 Aug 2003 11:35:23 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 2005 invoked from network); 11 Aug 2003 11:35:23 -0000 Date: Mon, 11 Aug 2003 11:35:19 +0000 From: Tavis Ormandy To: Kurt Lieber Cc: gentoo-dev@gentoo.org Message-ID: <20030811113518.GA29154@sdf.lonestar.org> References: <20030810223914.GB27538@sdf.lonestar.org> <20030810232734.GJ1819@mail.lieber.org> <20030811000210.GB8548@sdf.lonestar.org> <20030811092156.GO1819@mail.lieber.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030811092156.GO1819@mail.lieber.org> User-Agent: Mutt/1.5.3i Subject: Re: [gentoo-dev] Finger GLEP X-Archives-Salt: 00361f09-a641-4292-8731-d5f0c2c1483e X-Archives-Hash: 2768ac03a3a7ac3bee7ed60f9d55cbe8 On Mon, Aug 11, 2003 at 05:22:06AM -0400, Kurt Lieber wrote: > On Mon, Aug 11, 2003 at 12:02:10AM +0000 or thereabouts, Tavis Ormandy wrote: > > > > imho, if all developers just created a ~/.pgpkey the fingerd will be > > worth having (i'll explain below why i think this is the best medium for > > key distribution). > > You still haven't explained how we will ensure the data are up to date and > complete. imo, this method of distribution is only useful if there is 100% > participation. A cornerstone of your argument is that it's easy for the > user to "finger developer@gentoo.org" to get their key. My point is that's > useless if they can't rely upon *always* being able to get that > information. > Well, however you choose to distribute keys theres the problem of getting everybody to create one..thats hardly a huge issue, and the problem exists for every method of distribution..using a keys.gentoo.org webserver is still "rendered useless" if you cant get everybody to generate and upload a key, how do you propose to deal with that? imho, even if for some reason a developer decides not to upload a key, the finger daemon will still provide information like last time mail was received, last login, etc...still useful in my opinion. > which would be trivially easy to set up. We could even use mod_rewrite to > redirect that to a public keyserver relieving us from having to administer > anything locally. (see below for why all keys will be on public > keyservers) > sure, im not disputing its possible, but distributing keys via http is ugly imho. > Checks need to be mandatory and, afaik, are on the feature list to be built > into Portage. Thus, keys *will* be on public keyservers and checks *will* > be made. > of course, but people will still want and need to add developer keys to their personal keyrings. > > making the keys available via finger means it will be simple to get any > > keys into gpg from the command line on one line, eg: > > > > $ finger klieber@gentoo.org | gpg --import > > or $ wget http://keys.gentoo.org/devname.gpg | gpg --import > > My point is there are multiple 'easy' ways of accomplishing this task. > finger is not the only solution. > well, more like $ wget -O - -q http://keys.gentoo.org/devname.gpg | gpg --import and good luck getting people to remember that. surely you can agree that accessing the key via finger (especially as the request is in the form of an email address) is a much more elegant solution? > Again, I am open to considering the idea of running fingerd as an alternate > means of transporting data, but at this point, I am not convinced that > storing things in /home directories is the right/best solution. > > --kurt none of the issues apply solely to my solution, and im certain the benefits outweigh the drawbacks. -- ------------------------------------- taviso@sdf.lonestar.org | finger me for my gpg key. ------------------------------------------------------- -- gentoo-dev@gentoo.org mailing list