| 1 |
On Mon, Aug 11, 2003 at 05:22:06AM -0400, Kurt Lieber wrote: |
| 2 |
> On Mon, Aug 11, 2003 at 12:02:10AM +0000 or thereabouts, Tavis Ormandy wrote: |
| 3 |
> > |
| 4 |
> > imho, if all developers just created a ~/.pgpkey the fingerd will be |
| 5 |
> > worth having (i'll explain below why i think this is the best medium for |
| 6 |
> > key distribution). |
| 7 |
> |
| 8 |
> You still haven't explained how we will ensure the data are up to date and |
| 9 |
> complete. imo, this method of distribution is only useful if there is 100% |
| 10 |
> participation. A cornerstone of your argument is that it's easy for the |
| 11 |
> user to "finger developer@g.o" to get their key. My point is that's |
| 12 |
> useless if they can't rely upon *always* being able to get that |
| 13 |
> information. |
| 14 |
> |
| 15 |
|
| 16 |
Well, however you choose to distribute keys theres the problem of |
| 17 |
getting everybody to create one..thats hardly a huge issue, and the |
| 18 |
problem exists for every method of distribution..using a keys.gentoo.org |
| 19 |
webserver is still "rendered useless" if you cant get everybody to |
| 20 |
generate and upload a key, how do you propose to deal with that? |
| 21 |
|
| 22 |
imho, even if for some reason a developer decides not to upload a key, |
| 23 |
the finger daemon will still provide information like last time mail was |
| 24 |
received, last login, etc...still useful in my opinion. |
| 25 |
|
| 26 |
> which would be trivially easy to set up. We could even use mod_rewrite to |
| 27 |
> redirect that to a public keyserver relieving us from having to administer |
| 28 |
> anything locally. (see below for why all keys will be on public |
| 29 |
> keyservers) |
| 30 |
> |
| 31 |
|
| 32 |
sure, im not disputing its possible, but distributing keys via http is |
| 33 |
ugly imho. |
| 34 |
|
| 35 |
> Checks need to be mandatory and, afaik, are on the feature list to be built |
| 36 |
> into Portage. Thus, keys *will* be on public keyservers and checks *will* |
| 37 |
> be made. |
| 38 |
> |
| 39 |
|
| 40 |
of course, but people will still want and need to add developer keys to |
| 41 |
their personal keyrings. |
| 42 |
|
| 43 |
> > making the keys available via finger means it will be simple to get any |
| 44 |
> > keys into gpg from the command line on one line, eg: |
| 45 |
> > |
| 46 |
> > $ finger klieber@g.o | gpg --import |
| 47 |
> |
| 48 |
> or $ wget http://keys.gentoo.org/devname.gpg | gpg --import |
| 49 |
> |
| 50 |
> My point is there are multiple 'easy' ways of accomplishing this task. |
| 51 |
> finger is not the only solution. |
| 52 |
> |
| 53 |
|
| 54 |
well, more like |
| 55 |
|
| 56 |
$ wget -O - -q http://keys.gentoo.org/devname.gpg | gpg --import |
| 57 |
|
| 58 |
and good luck getting people to remember that. surely you can |
| 59 |
agree that accessing the key via finger (especially as the request is in |
| 60 |
the form of an email address) is a much more elegant solution? |
| 61 |
|
| 62 |
> Again, I am open to considering the idea of running fingerd as an alternate |
| 63 |
> means of transporting data, but at this point, I am not convinced that |
| 64 |
> storing things in /home directories is the right/best solution. |
| 65 |
> |
| 66 |
> --kurt |
| 67 |
|
| 68 |
none of the issues apply solely to my solution, and im certain the |
| 69 |
benefits outweigh the drawbacks. |
| 70 |
|
| 71 |
-- |
| 72 |
------------------------------------- |
| 73 |
taviso@××××××××××××.org | finger me for my gpg key. |
| 74 |
------------------------------------------------------- |
| 75 |
|
| 76 |
-- |
| 77 |
gentoo-dev@g.o mailing list |
Archives