From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 14431 invoked by uid 1002); 11 Aug 2003 12:09:23 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 20464 invoked from network); 11 Aug 2003 12:09:22 -0000 Date: Mon, 11 Aug 2003 12:09:18 +0000 From: Tavis Ormandy To: Paul de Vrieze Cc: gentoo-dev@gentoo.org Message-ID: <20030811120918.GC29154@sdf.lonestar.org> References: <20030810223914.GB27538@sdf.lonestar.org> <20030811011731.GB3017@time> <19913.134.188.150.80.1060590280.squirrel@callisto.cs.kun.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <19913.134.188.150.80.1060590280.squirrel@callisto.cs.kun.nl> User-Agent: Mutt/1.5.3i Subject: Re: [gentoo-dev] Finger GLEP X-Archives-Salt: b5c188c3-5cec-4750-a990-510328d89c56 X-Archives-Hash: 568bfda70e8ae8d767e429f8c472aa90 On Mon, Aug 11, 2003 at 10:24:40AM +0200, Paul de Vrieze wrote: > > There are advantages and disadvantages. For pgp keys I personally believe > that this is not the way to go. In case a dev box gets rooted it is very > easy for a hacker to update a .gpgkey file, but if we would have an > authenticated and automated process changing the key in the ldap database > (through an easy to use script) that would increase security a lot while > still getting all the data at one place. Thats no more secure than the finger solution, once a developer's box is rooted, all bets are off. At this point the hacker can already trojan gpg/ssh/whatever and harvest all the passphrases and key pairs he wants, rendering the gpg key useless. > As such I believe that if we want to provide a finger service it > will need to be ldap aware and pull most information from ldap, and/or > other sources. For example for projects the current plan is to create > project.xml files containing information about the project. Including who > is part of the project. maybe, but im a fan of the simplicity of finger. The name and location is the standard information from the passwd file, and three plain text files the dev can configure as they see fit. -- ------------------------------------- taviso@sdf.lonestar.org | finger me for my gpg key. ------------------------------------------------------- -- gentoo-dev@gentoo.org mailing list