1 |
On Mon, Aug 11, 2003 at 11:35:19AM +0000 or thereabouts, Tavis Ormandy wrote: |
2 |
> Well, however you choose to distribute keys theres the problem of |
3 |
> getting everybody to create one..thats hardly a huge issue, and the |
4 |
> problem exists for every method of distribution..using a keys.gentoo.org |
5 |
> webserver is still "rendered useless" if you cant get everybody to |
6 |
> generate and upload a key, how do you propose to deal with that? |
7 |
|
8 |
The efforts we have underway with secure portage will require developers to |
9 |
have and maintain a GPG key. It will also require them to place said key |
10 |
on a public keyserver. |
11 |
|
12 |
> none of the issues apply solely to my solution, and im certain the |
13 |
> benefits outweigh the drawbacks. |
14 |
|
15 |
Well, at this point, I'm inclined to reject this GLEP and/or ask you to |
16 |
re-work it to incorporate some of the changes suggested by myself and |
17 |
others. Specifically: |
18 |
|
19 |
* Data needs to be maintained in one central repository. |
20 |
* I'm not opposed to offering fingerd as a means of data transport, as long |
21 |
as it pulls data from the central repository mentioned above. |
22 |
* I'd also be open to allowing devs the option of *supplementing* the |
23 |
information available via fingerd by creating a .plan or whatever. |
24 |
However, the core info (GPG key, name, herds info, etc.) needs to be |
25 |
maintained in the central repository. |
26 |
|
27 |
Basically, I see the benefits of offering fingerd as a service to our users |
28 |
and am willing to support that, infrastructure-wise. I do not agree, |
29 |
however, that fingerd should be the *primary* method of distributing this |
30 |
info, nor do I support the idea of storing critical information such as GPG |
31 |
keys in developer home dirs -- at least not as the primary "official" |
32 |
repository. |
33 |
|
34 |
--kurt |