1 |
On Sat, Nov 19, 2005 at 05:06:15PM +0000, Kurt Lieber wrote: |
2 |
> For instance, the way GLEP 41 suggests doing r/o cvs is not going to work. |
3 |
> It suggests using a single account and placing an SSH key for each arch |
4 |
> tester in that account's ~/.ssh/authorized_keys file. |
5 |
text in question |
6 |
|
7 |
"Get read-only access to the gentoo-x86 repository. This doesn't have |
8 |
to be individual accounts, a single account, without a shell, with all |
9 |
of their keys will be sufficiant." |
10 |
|
11 |
Note the "doesn't have to be" and "will be sufficient", it's left open |
12 |
to how y'all want to implement it. |
13 |
|
14 |
> There are no provisions for key management and I cannot see an easy way to |
15 |
> handle it. It's easy to add new keys, but how do we clean out old keys for |
16 |
> retired arch testers? (including arch testers that "retire" without ever |
17 |
> informing us) SSH doesn't log key ID as near as I can tell, so we have no |
18 |
> way of tracking what keys are used and how often. Also, how do we |
19 |
> definitively correlate an SSH key with an arch tester? |
20 |
> |
21 |
> Now, the same question for email -- how do we manage aliases, especially |
22 |
> for inactive, retired and semi-retired arch testers? We could track usage |
23 |
> in logs, but between mailing list subscriptions, bugzilla notifications and |
24 |
> all sorts of other automated emails, that's not an accurate representation |
25 |
> of whether an email alias is actively used or not. |
26 |
> |
27 |
> I talked to Lance and neither he nor I were consulted about this GLEP and |
28 |
> how feasible the implementation is. We both are quite concerned about the |
29 |
> issues that I've outlined above as well as others. |
30 |
> |
31 |
> This isn't a "we're refusing to implement this GLEP" email, btw, though I'm |
32 |
> sure some of you will take it as such. It is, however, a "we were never |
33 |
> consulted regarding implementation details, so there are still issues that |
34 |
> need to be worked out before this GLEP can go anywhere" email. |
35 |
|
36 |
Cvs concerns above are all based upon doing single account for cvs ro; |
37 |
again, it's stated as an option (iow, the option is left up to y'all). |
38 |
|
39 |
It's not mandating anything on you for cvs, reread it if you don't |
40 |
believe me. It's stating the base, that they only need the users to |
41 |
have cvs ro access... |
42 |
|
43 |
Either way, it's word games, and yes, it's kind of retarded. |
44 |
~harring |