1 |
On Mon, Aug 11, 2003 at 10:24:40AM +0200, Paul de Vrieze wrote: |
2 |
> |
3 |
> There are advantages and disadvantages. For pgp keys I personally believe |
4 |
> that this is not the way to go. In case a dev box gets rooted it is very |
5 |
> easy for a hacker to update a .gpgkey file, but if we would have an |
6 |
> authenticated and automated process changing the key in the ldap database |
7 |
> (through an easy to use script) that would increase security a lot while |
8 |
> still getting all the data at one place. |
9 |
|
10 |
Thats no more secure than the finger solution, once a developer's box is |
11 |
rooted, all bets are off. At this point the hacker can already trojan |
12 |
gpg/ssh/whatever and harvest all the passphrases and key pairs he wants, |
13 |
rendering the gpg key useless. |
14 |
|
15 |
> As such I believe that if we want to provide a finger service it |
16 |
> will need to be ldap aware and pull most information from ldap, and/or |
17 |
> other sources. For example for projects the current plan is to create |
18 |
> project.xml files containing information about the project. Including who |
19 |
> is part of the project. |
20 |
|
21 |
maybe, but im a fan of the simplicity of finger. The name and location |
22 |
is the standard information from the passwd file, and three plain text |
23 |
files the dev can configure as they see fit. |
24 |
|
25 |
-- |
26 |
------------------------------------- |
27 |
taviso@××××××××××××.org | finger me for my gpg key. |
28 |
------------------------------------------------------- |
29 |
|
30 |
-- |
31 |
gentoo-dev@g.o mailing list |