From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 1854 invoked by uid 1002); 11 Aug 2003 13:33:48 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 14331 invoked from network); 11 Aug 2003 13:33:48 -0000 Date: Mon, 11 Aug 2003 09:33:14 -0400 From: Kurt Lieber To: Tavis Ormandy Cc: gentoo-dev@gentoo.org Message-ID: <20030811133311.GP1819@mail.lieber.org> References: <20030810223914.GB27538@sdf.lonestar.org> <20030810232734.GJ1819@mail.lieber.org> <20030811000210.GB8548@sdf.lonestar.org> <20030811092156.GO1819@mail.lieber.org> <20030811113518.GA29154@sdf.lonestar.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="A6Z7MKnLVMfR85kG" Content-Disposition: inline In-Reply-To: <20030811113518.GA29154@sdf.lonestar.org> X-GPG-Key: http://www.lieber.org/kurtl.pub.gpg User-Agent: Mutt/1.5.4i Subject: Re: [gentoo-dev] Finger GLEP X-Archives-Salt: b17d8d64-1bc8-4013-ae0e-a5588f0c8ea4 X-Archives-Hash: 730287041b516d32b038753ac465baf8 --A6Z7MKnLVMfR85kG Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 11, 2003 at 11:35:19AM +0000 or thereabouts, Tavis Ormandy wrot= e: > Well, however you choose to distribute keys theres the problem of > getting everybody to create one..thats hardly a huge issue, and the > problem exists for every method of distribution..using a keys.gentoo.org > webserver is still "rendered useless" if you cant get everybody to > generate and upload a key, how do you propose to deal with that? The efforts we have underway with secure portage will require developers to have and maintain a GPG key. It will also require them to place said key on a public keyserver. =20 > none of the issues apply solely to my solution, and im certain the > benefits outweigh the drawbacks. Well, at this point, I'm inclined to reject this GLEP and/or ask you to re-work it to incorporate some of the changes suggested by myself and others. Specifically:=20 * Data needs to be maintained in one central repository. =20 * I'm not opposed to offering fingerd as a means of data transport, as long as it pulls data from the central repository mentioned above. * I'd also be open to allowing devs the option of *supplementing* the information available via fingerd by creating a .plan or whatever. However, the core info (GPG key, name, herds info, etc.) needs to be maintained in the central repository. Basically, I see the benefits of offering fingerd as a service to our users and am willing to support that, infrastructure-wise. I do not agree, however, that fingerd should be the *primary* method of distributing this info, nor do I support the idea of storing critical information such as GPG keys in developer home dirs -- at least not as the primary "official" repository. --kurt --A6Z7MKnLVMfR85kG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/N5sXJPpRNiftIEYRAvGyAKCBocYRiX1TUBuUtsFlg146xvDLfwCfZRNk 6FPEt8mJOqKuwrcemnjISxc= =dp7O -----END PGP SIGNATURE----- --A6Z7MKnLVMfR85kG--