* Re: [gentoo-dev] Finger GLEP
@ 2003-08-11 0:02 99% ` Tavis Ormandy
0 siblings, 0 replies; 1+ results
From: Tavis Ormandy @ 2003-08-11 0:02 UTC (permalink / raw
To: Kurt Lieber; +Cc: gentoo-dev
On Sun, Aug 10, 2003 at 07:27:37PM -0400, Kurt Lieber wrote:
> OK, I guess this one is an infrastructure GLEP to approve/reject. I'd also
> like to get input from seemant as the devrel manager.
>
> I have security concerns about running fingerd, but I can see how the
> benefits outweigh the risks in this case.
I thought some people might, im not sure what the specific issues you
have are, but I know that a lot of people have had the "finger == bad"
hammered into them, partly due to the information leakage, and partly as
some of the early (pre 1980s) implementations were famously poor.
I'm confident it is totally secure to use fingerd, and i included the
list of famous sites using fingerd as precedent...but i understand it
still makes some admins nervous :)
> However, there are still several
> areas that I don't see being addressed by this GLEP:
>
> 1) We already suffer from what I call "information sprawl" right now,
> meaning we have the same information spread out across multiple places,
> with no one place being the "master repository". The net result of this is
> that users have to hunt through multiple repositories to try to find out
> which one the developer chose to use for their particular query.
agreed, but i think the specific type of information that would be kept
in .plans is not available in any easy form right now, i guess tracking
cvs commits and searching through usernames with bugzilla is the closest
way you can get to an activity report, which is just not practical for
most users, and even developers in a rush would probably not bother.
> What ensures that the data available via fingerd will be a) complete
> (meaning how will you ensure all developers participate) and b) up-to-date?
> IMO, we need to identify one master source of information and *ensure* that
> is used and kept up-to-date. If we want to provide multiple avenues to
> access that info, that's fine, but we need one database, not multiple ones.
>
imho, if all developers just created a ~/.pgpkey the fingerd will be
worth having (i'll explain below why i think this is the best medium for
key distribution). In the implementations i have seen, people have
always kept their .plans reasonably up to date, its an easy way to keep
people notified of things that they are working on (or an in depth
description of their responsibilities, etc) and if the finger daemon was
well known about (mentioned in gwn, for example) it will give users a
chance to check for updates before firing off an email.
> 2) Tangental to the issue above, we've already talked about placing things
> like GPG keys on the web site in XML format and pulling the other info (dev
> name, location, projects, etc.) in via XML as well. Why is the fingerd
> solution a better one? Items on the web site are updated hourly. I can't
> think of too many cases where that type of freshness isn't timely enough.
>
> --kurt
Yep, i suggested a fingerd at the time. imho, its the best way for
distributing keys.
making the keys available via the website is not ideal, getting it into
a keyring involves a few steps, eg:
1) fire up web browser, navigate to query page
2) enter dev name, and then copy and paste key into text
or copy and paste url for wget to fetch
3) gpg --import < saved_file
4) rm saved_file, etc, etc.
and putting the keys onto keyservers would involve getting users to
check fingerprints, and distributing those fingerprints (agreed, checks
should always be made anyway, but in reality i cant see that happening).
making the keys available via finger means it will be simple to get any
keys into gpg from the command line on one line, eg:
$ finger klieber@gentoo.org | gpg --import
the user can be confident the key is really yours, and only one basic
command is required (you can test this with my key, my address is in my
.sig).
Also, should a developer revoke or regenerate a key, they would have to
contact someone with cvs access to the website to update it, with
fingerd they can just login (or scp) to dev.g.o and update the key
themselves, which would take effect immediately. I am totally confident
this is the simplest and best medium for distributing developer keys.
Thanks, Tavis.
--
-------------------------------------
taviso@sdf.lonestar.org | finger me for my gpg key.
-------------------------------------------------------
--
gentoo-dev@gentoo.org mailing list
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2003-08-10 22:39 [gentoo-dev] Finger GLEP Tavis Ormandy
2003-08-10 23:27 ` Kurt Lieber
2003-08-11 0:02 99% ` Tavis Ormandy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox