| 1 |
On Sat, Nov 19, 2005 at 06:57:41PM +0100 or thereabouts, Danny van Dyk wrote: |
| 2 |
> | There are no provisions for key management and I cannot see an easy way to |
| 3 |
> | handle it. It's easy to add new keys, but how do we clean out old keys for |
| 4 |
> | retired arch testers? (including arch testers that "retire" without ever |
| 5 |
> | informing us) SSH doesn't log key ID as near as I can tell, so we have no |
| 6 |
> | way of tracking what keys are used and how often. Also, how do we |
| 7 |
> | definitively correlate an SSH key with an arch tester? |
| 8 |
> |
| 9 |
> Do we have to? Nobody has to track how often an Arch Tester uses RO |
| 10 |
> access to CVS, as you don't need that information. RO CVS access is a |
| 11 |
> service to the ATs. Their work is pretty much outside CVS... |
| 12 |
|
| 13 |
Yes, we have to. If someone retires, their access needs to be revoked. |
| 14 |
|
| 15 |
> | Now, the same question for email -- how do we manage aliases, especially |
| 16 |
> | for inactive, retired and semi-retired arch testers? We could track usage |
| 17 |
> | in logs, but between mailing list subscriptions, bugzilla |
| 18 |
> notifications and |
| 19 |
> | all sorts of other automated emails, that's not an accurate representation |
| 20 |
> | of whether an email alias is actively used or not. |
| 21 |
> Afaik the gentoo.org address is only a forward to their normal adress, |
| 22 |
> so one can hardly speak 'active usage'. You simply can't actively use |
| 23 |
> it! On the other hand, tracking down how active/inactive a AT/HT is |
| 24 |
> falls under the project the AT/HT is associated with, or the AT/HT |
| 25 |
> Project (hparker) as last resort. So if he says 'AT foo is inactive', |
| 26 |
> he's to be removed from email forwarding and CVS RO Access. I really |
| 27 |
> don't see the problem here. |
| 28 |
|
| 29 |
Because, in practice, this doesn't happen. Accounts (or, in this case, |
| 30 |
email addresses) stay around until someone gets enough of a bee under their |
| 31 |
bonnet to do somethig about it. Since there's no pain or cost for the |
| 32 |
AT/HT project lead, there's no reason for them to be vigilant about |
| 33 |
tracking activity. Plus, assuming we have a large number of these testers, |
| 34 |
how are people going to know whether or not one specific arch tester is |
| 35 |
active? That's not an acceptable solution. |
| 36 |
|
| 37 |
--kurt |
Archives