| 1 |
On Mon, Aug 11, 2003 at 11:35:19AM +0000 or thereabouts, Tavis Ormandy wrote: |
| 2 |
> Well, however you choose to distribute keys theres the problem of |
| 3 |
> getting everybody to create one..thats hardly a huge issue, and the |
| 4 |
> problem exists for every method of distribution..using a keys.gentoo.org |
| 5 |
> webserver is still "rendered useless" if you cant get everybody to |
| 6 |
> generate and upload a key, how do you propose to deal with that? |
| 7 |
|
| 8 |
The efforts we have underway with secure portage will require developers to |
| 9 |
have and maintain a GPG key. It will also require them to place said key |
| 10 |
on a public keyserver. |
| 11 |
|
| 12 |
> none of the issues apply solely to my solution, and im certain the |
| 13 |
> benefits outweigh the drawbacks. |
| 14 |
|
| 15 |
Well, at this point, I'm inclined to reject this GLEP and/or ask you to |
| 16 |
re-work it to incorporate some of the changes suggested by myself and |
| 17 |
others. Specifically: |
| 18 |
|
| 19 |
* Data needs to be maintained in one central repository. |
| 20 |
* I'm not opposed to offering fingerd as a means of data transport, as long |
| 21 |
as it pulls data from the central repository mentioned above. |
| 22 |
* I'd also be open to allowing devs the option of *supplementing* the |
| 23 |
information available via fingerd by creating a .plan or whatever. |
| 24 |
However, the core info (GPG key, name, herds info, etc.) needs to be |
| 25 |
maintained in the central repository. |
| 26 |
|
| 27 |
Basically, I see the benefits of offering fingerd as a service to our users |
| 28 |
and am willing to support that, infrastructure-wise. I do not agree, |
| 29 |
however, that fingerd should be the *primary* method of distributing this |
| 30 |
info, nor do I support the idea of storing critical information such as GPG |
| 31 |
keys in developer home dirs -- at least not as the primary "official" |
| 32 |
repository. |
| 33 |
|
| 34 |
--kurt |
Archives