| 1 |
On Mon, Aug 11, 2003 at 10:24:40AM +0200, Paul de Vrieze wrote: |
| 2 |
> |
| 3 |
> There are advantages and disadvantages. For pgp keys I personally believe |
| 4 |
> that this is not the way to go. In case a dev box gets rooted it is very |
| 5 |
> easy for a hacker to update a .gpgkey file, but if we would have an |
| 6 |
> authenticated and automated process changing the key in the ldap database |
| 7 |
> (through an easy to use script) that would increase security a lot while |
| 8 |
> still getting all the data at one place. |
| 9 |
|
| 10 |
Thats no more secure than the finger solution, once a developer's box is |
| 11 |
rooted, all bets are off. At this point the hacker can already trojan |
| 12 |
gpg/ssh/whatever and harvest all the passphrases and key pairs he wants, |
| 13 |
rendering the gpg key useless. |
| 14 |
|
| 15 |
> As such I believe that if we want to provide a finger service it |
| 16 |
> will need to be ldap aware and pull most information from ldap, and/or |
| 17 |
> other sources. For example for projects the current plan is to create |
| 18 |
> project.xml files containing information about the project. Including who |
| 19 |
> is part of the project. |
| 20 |
|
| 21 |
maybe, but im a fan of the simplicity of finger. The name and location |
| 22 |
is the standard information from the passwd file, and three plain text |
| 23 |
files the dev can configure as they see fit. |
| 24 |
|
| 25 |
-- |
| 26 |
------------------------------------- |
| 27 |
taviso@××××××××××××.org | finger me for my gpg key. |
| 28 |
------------------------------------------------------- |
| 29 |
|
| 30 |
-- |
| 31 |
gentoo-dev@g.o mailing list |
Archives