Bouncing to the list so ya'll can see the whole reply. On Fri, Jul 18, 2008 at 02:33:40AM -0700, Ryan Murray wrote: > On Tue, 8 Jul 2008 12:59:19 -0500 > Stephen R Marenka <stephen@marenka.net> wrote: > > > Please find attached the ssh keys and email addresses of the 23 current > > m68k buildds. I hope to be able to add 4 more sometime this year. > > > > May 14 or so was the last time any of the m68k porters had access to > > buildd.debian.org. I've been maintaining our status manually since then. > > DSA disabled all ssh keys around that time due to the SSL > vulnerability, and the attached message was sent to > buildd-maintainers@buildd.d.o, which expands to all of the > arch@buildd.debian.org aliases. m68k@buildd.debian.org forwards to > m68k-build@nocrew.org, with special exim rewriting logic so that the > To: is always seen as m68k-build@nocrew.org I've never seen a request > for this to be updated. Other archs replied to the correct address by > May 16th at the latest, and all issues with the changes for them were > sorted out by May 21st. > > > I've tried contacting buildd-team@b.d.o as well as other roles and > > individual addresses regularly since then. > > buildd-team@ is the first address I fixed from the horrible spam > situation the address was in on my side, on May 13th, when the problem > occurred. I unfortunately sent the message without a reply-to: of the > only address I had that wasn't mostly a black hole. I received a > message on Jun 8th, replied on Jun 9th, and got a reply on Jun 11th, > with a followup message, and another followup on June 24th with > additional buildds. Unfortunately, that was the start of my ~5 weeks of > moving disruption, combined with the final month before a release at > $work. I'm sorry that this timing, combined with the spam-blackhole > nature of my email addresses (before may 13th for buildd-team, and late june for > other @d.o addresses and @cyberhqz.com), means that the messages I've > referred to are the only ones I've seen. > > > concrete results. I believe other m68k porters have tried similarly with > > the same results. > > Other than Michael Casadevall on June 23rd that you replied to on the > 24th (the followup referred to above), there hasn't been any other mail > from other m68k porters to the requested contact address > buildd-team@buildd.debian.org. I can't be sure on the other addresses > before June 21, but there hasn't been anything since. I believe > someone may have opened a DSA RT ticket which subsequently got closed > as "wrong place" by DSA. > > > I have in the past advocated that one of the m68k team be granted > > access to update the ssh keys for buildd_m68k@b.d.o. I still think this > > is the best approach, but I have little faith in this being the result. > > As part of the process requires root access to update and reload apache > config files, there isn't much hope for a non-automated form of updates > this way. > > > We have not had an etch-m68k/stable or stable-security w-b database since > > etch was released. Even though we've made multiple requests. > > etch-m68k was created by one ftp-master who told the others that he > would "do all the work" required to support it, and it was left to that. > I've been swamped with a new startup job since the release of etch, so > haven't had time to hack the buildd scripts to support etch-m68k/stable. > > > We've been trying for months (since Feb. 14) to update the ssh keys for > > new buildds. The last update before that only happened after a face-to- > > face meeting at a conference. (And even then, not all of the keys were > > setup correctly.) > > This has been in part to the spamful nature of several debian role > address and over-eager adaptive anti-spam software. It means I've > never seen any of the requests, and they're buried in several gigs of > spam. > > > So please, either explicitly update our keys, give one of us access, or > > tell us you won't support us any longer. I'm rather tired of being > > I've updated the keys for buildds that already existed. For the new > buildds, I need either an IP address for static IP buildds, or a > 12 character+ password via encrypted email for dynamic IPs for > incoming.debian.org access. Security access needs a separate password > for each buildd with access. Buildds not entirely managed by Debian > Developers should likely not build security, as embargoed updates > should have minimum visibility outside (and even within) the project. > It's really the security team's call in the end on that part, tho. > > > ignored. You've spent more time deleting my emails than it takes to fix > > the keys. > > I haven't actively deleted anything. I'm sorry that the situation has > lead you to believe this. > > > In the event that ya'll don't wish to support us any longer, m68k will > > either host our own w-b database or perhaps the debian-ports folks will > > support us. Either way, it would be nice if we could coordinate a transfer > > so that we don't lose any state information. > > I've heard rumours from a couple of groups that after the release of > lenny, they are looking at changes which will mean a move from > buildd.d.o wanna-build in any case: > * ftp-master is looking at dropping from unstable archs that > haven't made a release in 2+ releases to free up primary mirror space > for archive growth and new archs that seem more ready to be in a > release. > * Some active DSA members feel that keeping etch m68k systems > updated is a lot of time better spent doing many other things. That > situation is only getting worse from release to release. > > So, after the lenny release timeframe, m68k should look at moving all > the infrastructure (archive/dev systems/buildds/w-b) to one place (such > as debian-ports.org, which other archs are using as a pre- ftp-master > staging area). > > I've attached the updated buildd_m68k authorized_keys file. It's also > helpful to know who is the local maintainer for each buildd, as that's > how the current file is laid out. Once I have the IPs/passwords for > the commented out buildds at the bottom, I'll enable them. Sorry again > for taking so long to get back to you. > AF: > NF:0 > PS:10 > SRH:1 > SFN: > DSR: > MID: > CFG: > PT:0 > S:rmurray@cyberhqz.com > RQ: > SSV:mail.cyberhqz.com > NSV: > SSH: > R:<buildd-maintainers@buildd.debian.org> > MAID:3 > X-Claws-Privacy-System:pgpmime > X-Claws-Sign:1 > SCF:#imap/rmurray@cyberhqz.com/Sent > X-Claws-End-Special-Headers: 1 > From: Ryan Murray <rmurray@debian.org> > To: buildd-maintainers@buildd.debian.org > Subject: Updated ssh keys > > With the openssl vulnerability recently discovered, all buildd ssh keys > have been disabled by DSA. Please send updated RSA public keys to > buildd-team@buildd.debian.org for all of your buildds to have > wanna-build access restored. > -- Stephen R. Marenka If life's not fun, you're not doing it right! <stephen@marenka.net>
Attachment:
signature.asc
Description: Digital signature