From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1EdbIo-0002eG-Ir for garchives@archives.gentoo.org; Sat, 19 Nov 2005 22:35:22 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id jAJMY41E009923; Sat, 19 Nov 2005 22:34:04 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [134.68.220.30]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id jAJMV3pD009196 for ; Sat, 19 Nov 2005 22:31:03 GMT Received: from cpe-65-26-255-237.wi.res.rr.com ([65.26.255.237] helo=nightcrawler) by smtp.gentoo.org with esmtpa (Exim 4.43) id 1EdbEd-0007df-CQ for gentoo-dev@lists.gentoo.org; Sat, 19 Nov 2005 22:31:03 +0000 Date: Sat, 19 Nov 2005 16:30:53 -0600 From: Brian Harring To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] implementation details for GLEP 41 Message-ID: <20051119223052.GC4535@nightcrawler> References: <20051119170615.GW12982@mail.lieber.org> <20051119190355.GB28867@gentoo.org> <20051119191403.GZ12982@mail.lieber.org> <20051119195115.GA4535@nightcrawler> <20051119220358.GB12982@mail.lieber.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="L6iaP+gRLNZHKoI4" Content-Disposition: inline In-Reply-To: <20051119220358.GB12982@mail.lieber.org> User-Agent: Mutt/1.5.11 X-Archives-Salt: c3233297-f370-49c1-b23e-be5d82d7ee80 X-Archives-Hash: 2b4bdb810f388af7cfe0d21abeaa5f64 --L6iaP+gRLNZHKoI4 Content-Type: text/plain; charset=utf8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Nov 19, 2005 at 10:03:58PM +0000, Kurt Lieber wrote: > On Sat, Nov 19, 2005 at 01:51:15PM -0600 or thereabouts, Brian Harring wr= ote: > > Stop pointing at one interpretation of it that sucks, when the glep=20 > > _does_ leave it open to you how to implement it. It's a waste of=20 > > people's time and bandwidth, and is a bit disenguous. >=20 > I'm trying to find a solution to the issues as I see them. Telling me I'm > wasting people's time and bandwidth doesn't seem conducive to working > together towards a resolution to this all. If you're going to say, "it w= as > passed, you guys just have to find a way to implement it. now please stop > bothering us" then I'm going to come up with an implementation plan that > looks something like the following: >=20 > * all SSH keys and email addresses for arch testers will auto-expire after > 60 days. If an arch tester needs to have continued access, a gentoo dev > will have to re-submit the key and recreate the alias for that arch > tester every 60 days. >=20 > That meets the requirements of the GLEP down to the letter and also > satisfies infra concerns around key management. However, it's a crappy > solution. >=20 > So, I'd much rather work together towards finding a better one. Simple solution, that I've repeatedly pointed at. Use the existing=20 ldap setup. It's not infra's responsibility to add their accounts nor=20 disable them (that is left in the air as stated, although I'd expect=20 it'll fall on devrels head). Infra doesn't even do retirement beyond=20 when _devrel_ asks them to. If that process is slow, ask for help and=20 someone will chip in and improve it (mainly to minimize bottleneck=20 involved). A simple script handling a pull from ldap sshPubKey attribute=20 updating $USER/.ssh/authorized_keys on lark, you've got the cvs ro=20 issue licked. Doesn't require anything crazy/new, and could be=20 implemented in no time- no infra overhead beyond an initial setup cost=20 for cvs, which I would be willing to implement myself. It's minor to do it within existing framework, which is why I've=20 stated it's daft pointing at the minimal requirement as admin hell. ~harring --L6iaP+gRLNZHKoI4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDf6ecvdBxRoA3VU0RArdVAKDU8X42WFLk4KnzA5xk0xQNc8FPqwCfSTg5 y5NERjEjlB7SSgIfomlExJc= =obbI -----END PGP SIGNATURE----- --L6iaP+gRLNZHKoI4-- -- gentoo-dev@gentoo.org mailing list