* Re: [gentoo-dev] Finger GLEP
@ 2003-08-11 8:24 99% ` Paul de Vrieze
0 siblings, 0 replies; 1+ results
From: Paul de Vrieze @ 2003-08-11 8:24 UTC (permalink / raw
To: gentoo-dev
Aron Griffis said:
> I really like this idea for the following reasons:
>
> 1. Information about devs should be sourced from the devs home
> directory. It means each dev can maintain their own data, and it
> avoids the problem of having a separate area of which devs need to be
> aware. Using fingerd automatically meets this "requirement".
>
There are advantages and disadvantages. For pgp keys I personally believe
that this is not the way to go. In case a dev box gets rooted it is very
easy for a hacker to update a .gpgkey file, but if we would have an
authenticated and automated process changing the key in the ldap database
(through an easy to use script) that would increase security a lot while
still getting all the data at one place. I think the plan file can indeed
be sourced from a .plan file in the homedir. But a gpg in general hardly
gets updated, so a bit more formal access is waranted in this case.
I believe the choice has been made to centralize the developer database on
ldap. As such I believe that if we want to provide a finger service it
will need to be ldap aware and pull most information from ldap, and/or
other sources. For example for projects the current plan is to create
project.xml files containing information about the project. Including who
is part of the project. There is no final structure yet, but once we do
have it, it will be the definite authority on who works on which project.
I believe having people maintain seperate information in their homedirs is
not the way to go as it will lead to incomplete and inaccurate data, and
also diminishes the need for developers to keep the definite information
up to date. (Yes that means that I think the next version of the developer
list will be autogenerated)
> 2. If we want to make dev information available on the web as well, it
> can easily be harvested (once per hour, as somebody mentioned the
> website is updated) from the dev's home dirs.
>
> 3. I agree with Tavis regarding the ease of using finger to lookup
> per-developer information such as gpg keys. Using the web is not
> quick.
>
I don't mind the use of finger as the retrieval protocol, but in this case
the server probably needs to be updated to get its information from other
sources.
>
> It seems like a good (usable/maintainable/secure) solution to me, and as
> Tavis has mentioned, it's already in use by a number of major open
> source projects.
Well, I see the use of finger as a protocol for information retrieval, but
I don't think that a standard fingerd will do the job. One way to do
things is to have a configuration file somewhere that specifies plugin
programs that supply the fingerd with information. What I mean is for
example the following:
/etc/fingerd/plugins:
getplan=/usr/gentoo/bin/getplan
and
"getplan pauldv" would then return my plan (by catting .plan from my homedir)
"getkey pauldv" though would get my key from the ldap server and would
output it to fingerd
Paul
--
Paul de Vrieze
Researcher
Mail: pauldv@cs.kun.nl
Homepage: http://www.devrieze.net
--
gentoo-dev@gentoo.org mailing list
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2003-08-10 22:39 [gentoo-dev] Finger GLEP Tavis Ormandy
2003-08-11 1:17 ` Aron Griffis
2003-08-11 8:24 99% ` Paul de Vrieze
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox