1 |
On Mon, Aug 11, 2003 at 05:22:06AM -0400, Kurt Lieber wrote: |
2 |
> On Mon, Aug 11, 2003 at 12:02:10AM +0000 or thereabouts, Tavis Ormandy wrote: |
3 |
> > |
4 |
> > imho, if all developers just created a ~/.pgpkey the fingerd will be |
5 |
> > worth having (i'll explain below why i think this is the best medium for |
6 |
> > key distribution). |
7 |
> |
8 |
> You still haven't explained how we will ensure the data are up to date and |
9 |
> complete. imo, this method of distribution is only useful if there is 100% |
10 |
> participation. A cornerstone of your argument is that it's easy for the |
11 |
> user to "finger developer@g.o" to get their key. My point is that's |
12 |
> useless if they can't rely upon *always* being able to get that |
13 |
> information. |
14 |
> |
15 |
|
16 |
Well, however you choose to distribute keys theres the problem of |
17 |
getting everybody to create one..thats hardly a huge issue, and the |
18 |
problem exists for every method of distribution..using a keys.gentoo.org |
19 |
webserver is still "rendered useless" if you cant get everybody to |
20 |
generate and upload a key, how do you propose to deal with that? |
21 |
|
22 |
imho, even if for some reason a developer decides not to upload a key, |
23 |
the finger daemon will still provide information like last time mail was |
24 |
received, last login, etc...still useful in my opinion. |
25 |
|
26 |
> which would be trivially easy to set up. We could even use mod_rewrite to |
27 |
> redirect that to a public keyserver relieving us from having to administer |
28 |
> anything locally. (see below for why all keys will be on public |
29 |
> keyservers) |
30 |
> |
31 |
|
32 |
sure, im not disputing its possible, but distributing keys via http is |
33 |
ugly imho. |
34 |
|
35 |
> Checks need to be mandatory and, afaik, are on the feature list to be built |
36 |
> into Portage. Thus, keys *will* be on public keyservers and checks *will* |
37 |
> be made. |
38 |
> |
39 |
|
40 |
of course, but people will still want and need to add developer keys to |
41 |
their personal keyrings. |
42 |
|
43 |
> > making the keys available via finger means it will be simple to get any |
44 |
> > keys into gpg from the command line on one line, eg: |
45 |
> > |
46 |
> > $ finger klieber@g.o | gpg --import |
47 |
> |
48 |
> or $ wget http://keys.gentoo.org/devname.gpg | gpg --import |
49 |
> |
50 |
> My point is there are multiple 'easy' ways of accomplishing this task. |
51 |
> finger is not the only solution. |
52 |
> |
53 |
|
54 |
well, more like |
55 |
|
56 |
$ wget -O - -q http://keys.gentoo.org/devname.gpg | gpg --import |
57 |
|
58 |
and good luck getting people to remember that. surely you can |
59 |
agree that accessing the key via finger (especially as the request is in |
60 |
the form of an email address) is a much more elegant solution? |
61 |
|
62 |
> Again, I am open to considering the idea of running fingerd as an alternate |
63 |
> means of transporting data, but at this point, I am not convinced that |
64 |
> storing things in /home directories is the right/best solution. |
65 |
> |
66 |
> --kurt |
67 |
|
68 |
none of the issues apply solely to my solution, and im certain the |
69 |
benefits outweigh the drawbacks. |
70 |
|
71 |
-- |
72 |
------------------------------------- |
73 |
taviso@××××××××××××.org | finger me for my gpg key. |
74 |
------------------------------------------------------- |
75 |
|
76 |
-- |
77 |
gentoo-dev@g.o mailing list |