| 1 |
On Mon, Aug 11, 2003 at 12:02:10AM +0000 or thereabouts, Tavis Ormandy wrote: |
| 2 |
> > What ensures that the data available via fingerd will be a) complete |
| 3 |
> > (meaning how will you ensure all developers participate) and b) up-to-date? |
| 4 |
> > IMO, we need to identify one master source of information and *ensure* that |
| 5 |
> > is used and kept up-to-date. If we want to provide multiple avenues to |
| 6 |
> > access that info, that's fine, but we need one database, not multiple ones. |
| 7 |
> |
| 8 |
> imho, if all developers just created a ~/.pgpkey the fingerd will be |
| 9 |
> worth having (i'll explain below why i think this is the best medium for |
| 10 |
> key distribution). |
| 11 |
|
| 12 |
You still haven't explained how we will ensure the data are up to date and |
| 13 |
complete. imo, this method of distribution is only useful if there is 100% |
| 14 |
participation. A cornerstone of your argument is that it's easy for the |
| 15 |
user to "finger developer@g.o" to get their key. My point is that's |
| 16 |
useless if they can't rely upon *always* being able to get that |
| 17 |
information. |
| 18 |
|
| 19 |
> making the keys available via the website is not ideal, getting it into |
| 20 |
> a keyring involves a few steps, eg: |
| 21 |
> |
| 22 |
> 1) fire up web browser, navigate to query page |
| 23 |
> 2) enter dev name, and then copy and paste key into text |
| 24 |
> or copy and paste url for wget to fetch |
| 25 |
> 3) gpg --import < saved_file |
| 26 |
> 4) rm saved_file, etc, etc. |
| 27 |
|
| 28 |
Or, you could just do: |
| 29 |
|
| 30 |
wget http://keys.gentoo.org/devname.gpg |
| 31 |
|
| 32 |
which would be trivially easy to set up. We could even use mod_rewrite to |
| 33 |
redirect that to a public keyserver relieving us from having to administer |
| 34 |
anything locally. (see below for why all keys will be on public |
| 35 |
keyservers) |
| 36 |
|
| 37 |
> and putting the keys onto keyservers would involve getting users to |
| 38 |
> check fingerprints, and distributing those fingerprints (agreed, checks |
| 39 |
> should always be made anyway, but in reality i cant see that happening). |
| 40 |
|
| 41 |
Checks need to be mandatory and, afaik, are on the feature list to be built |
| 42 |
into Portage. Thus, keys *will* be on public keyservers and checks *will* |
| 43 |
be made. |
| 44 |
|
| 45 |
> making the keys available via finger means it will be simple to get any |
| 46 |
> keys into gpg from the command line on one line, eg: |
| 47 |
> |
| 48 |
> $ finger klieber@g.o | gpg --import |
| 49 |
|
| 50 |
or $ wget http://keys.gentoo.org/devname.gpg | gpg --import |
| 51 |
|
| 52 |
My point is there are multiple 'easy' ways of accomplishing this task. |
| 53 |
finger is not the only solution. |
| 54 |
|
| 55 |
> Also, should a developer revoke or regenerate a key, they would have to |
| 56 |
> contact someone with cvs access to the website to update it, with |
| 57 |
> fingerd they can just login (or scp) to dev.g.o and update the key |
| 58 |
> themselves, which would take effect immediately. I am totally confident |
| 59 |
> this is the simplest and best medium for distributing developer keys. |
| 60 |
|
| 61 |
No, if a dev needs to revoke a key, they need to send out a revocation and |
| 62 |
yank it from all the keyservers. Devs would still be able to do this |
| 63 |
outside of cvs using the mod_rewrite example I mentioned above. |
| 64 |
|
| 65 |
Again, I am open to considering the idea of running fingerd as an alternate |
| 66 |
means of transporting data, but at this point, I am not convinced that |
| 67 |
storing things in /home directories is the right/best solution. |
| 68 |
|
| 69 |
--kurt |
Archives