1 |
On Mon, Aug 11, 2003 at 12:02:10AM +0000 or thereabouts, Tavis Ormandy wrote: |
2 |
> > What ensures that the data available via fingerd will be a) complete |
3 |
> > (meaning how will you ensure all developers participate) and b) up-to-date? |
4 |
> > IMO, we need to identify one master source of information and *ensure* that |
5 |
> > is used and kept up-to-date. If we want to provide multiple avenues to |
6 |
> > access that info, that's fine, but we need one database, not multiple ones. |
7 |
> |
8 |
> imho, if all developers just created a ~/.pgpkey the fingerd will be |
9 |
> worth having (i'll explain below why i think this is the best medium for |
10 |
> key distribution). |
11 |
|
12 |
You still haven't explained how we will ensure the data are up to date and |
13 |
complete. imo, this method of distribution is only useful if there is 100% |
14 |
participation. A cornerstone of your argument is that it's easy for the |
15 |
user to "finger developer@g.o" to get their key. My point is that's |
16 |
useless if they can't rely upon *always* being able to get that |
17 |
information. |
18 |
|
19 |
> making the keys available via the website is not ideal, getting it into |
20 |
> a keyring involves a few steps, eg: |
21 |
> |
22 |
> 1) fire up web browser, navigate to query page |
23 |
> 2) enter dev name, and then copy and paste key into text |
24 |
> or copy and paste url for wget to fetch |
25 |
> 3) gpg --import < saved_file |
26 |
> 4) rm saved_file, etc, etc. |
27 |
|
28 |
Or, you could just do: |
29 |
|
30 |
wget http://keys.gentoo.org/devname.gpg |
31 |
|
32 |
which would be trivially easy to set up. We could even use mod_rewrite to |
33 |
redirect that to a public keyserver relieving us from having to administer |
34 |
anything locally. (see below for why all keys will be on public |
35 |
keyservers) |
36 |
|
37 |
> and putting the keys onto keyservers would involve getting users to |
38 |
> check fingerprints, and distributing those fingerprints (agreed, checks |
39 |
> should always be made anyway, but in reality i cant see that happening). |
40 |
|
41 |
Checks need to be mandatory and, afaik, are on the feature list to be built |
42 |
into Portage. Thus, keys *will* be on public keyservers and checks *will* |
43 |
be made. |
44 |
|
45 |
> making the keys available via finger means it will be simple to get any |
46 |
> keys into gpg from the command line on one line, eg: |
47 |
> |
48 |
> $ finger klieber@g.o | gpg --import |
49 |
|
50 |
or $ wget http://keys.gentoo.org/devname.gpg | gpg --import |
51 |
|
52 |
My point is there are multiple 'easy' ways of accomplishing this task. |
53 |
finger is not the only solution. |
54 |
|
55 |
> Also, should a developer revoke or regenerate a key, they would have to |
56 |
> contact someone with cvs access to the website to update it, with |
57 |
> fingerd they can just login (or scp) to dev.g.o and update the key |
58 |
> themselves, which would take effect immediately. I am totally confident |
59 |
> this is the simplest and best medium for distributing developer keys. |
60 |
|
61 |
No, if a dev needs to revoke a key, they need to send out a revocation and |
62 |
yank it from all the keyservers. Devs would still be able to do this |
63 |
outside of cvs using the mod_rewrite example I mentioned above. |
64 |
|
65 |
Again, I am open to considering the idea of running fingerd as an alternate |
66 |
means of transporting data, but at this point, I am not convinced that |
67 |
storing things in /home directories is the right/best solution. |
68 |
|
69 |
--kurt |