| 1 |
On Sat, Nov 19, 2005 at 05:06:15PM +0000, Kurt Lieber wrote: |
| 2 |
> For instance, the way GLEP 41 suggests doing r/o cvs is not going to work. |
| 3 |
> It suggests using a single account and placing an SSH key for each arch |
| 4 |
> tester in that account's ~/.ssh/authorized_keys file. |
| 5 |
text in question |
| 6 |
|
| 7 |
"Get read-only access to the gentoo-x86 repository. This doesn't have |
| 8 |
to be individual accounts, a single account, without a shell, with all |
| 9 |
of their keys will be sufficiant." |
| 10 |
|
| 11 |
Note the "doesn't have to be" and "will be sufficient", it's left open |
| 12 |
to how y'all want to implement it. |
| 13 |
|
| 14 |
> There are no provisions for key management and I cannot see an easy way to |
| 15 |
> handle it. It's easy to add new keys, but how do we clean out old keys for |
| 16 |
> retired arch testers? (including arch testers that "retire" without ever |
| 17 |
> informing us) SSH doesn't log key ID as near as I can tell, so we have no |
| 18 |
> way of tracking what keys are used and how often. Also, how do we |
| 19 |
> definitively correlate an SSH key with an arch tester? |
| 20 |
> |
| 21 |
> Now, the same question for email -- how do we manage aliases, especially |
| 22 |
> for inactive, retired and semi-retired arch testers? We could track usage |
| 23 |
> in logs, but between mailing list subscriptions, bugzilla notifications and |
| 24 |
> all sorts of other automated emails, that's not an accurate representation |
| 25 |
> of whether an email alias is actively used or not. |
| 26 |
> |
| 27 |
> I talked to Lance and neither he nor I were consulted about this GLEP and |
| 28 |
> how feasible the implementation is. We both are quite concerned about the |
| 29 |
> issues that I've outlined above as well as others. |
| 30 |
> |
| 31 |
> This isn't a "we're refusing to implement this GLEP" email, btw, though I'm |
| 32 |
> sure some of you will take it as such. It is, however, a "we were never |
| 33 |
> consulted regarding implementation details, so there are still issues that |
| 34 |
> need to be worked out before this GLEP can go anywhere" email. |
| 35 |
|
| 36 |
Cvs concerns above are all based upon doing single account for cvs ro; |
| 37 |
again, it's stated as an option (iow, the option is left up to y'all). |
| 38 |
|
| 39 |
It's not mandating anything on you for cvs, reread it if you don't |
| 40 |
believe me. It's stating the base, that they only need the users to |
| 41 |
have cvs ro access... |
| 42 |
|
| 43 |
Either way, it's word games, and yes, it's kind of retarded. |
| 44 |
~harring |
Archives