> I'll bite. What were you planning on doing? Can we get an > effort started by just doing a maintainer ping, asking for the > location (city, country, latitude, longitude) and massage it into a > xearthe file? This is lo-tech, but is easy to do (I'll collate all > the data), and will set up an fairly upto date file for all people > willing to have this data made public. Sounds like a good start. > This could also be made an optional part of the new maintainer > process, to ensure the data is updated. > > Setting up a web based system can then be done at our leisure > (or maybe a pgp-signed email message can remain the interface). I was going to concentrate on a web system which stored the data in a back-end database. The developers would be able to log-in and update their own records. As far as the information to be collected, I was thinking of collecting both public data and confidential data. The form would probably ask for name, e-mail, phone, address, country, latitude-longitude, PGP key, maybe even a X-Face or picon... Some items would be private (like phone number), and used primarily for maintainer verification. Other items would be public (like e-mail address). Yet other items would only be public if the maintainer approved of it. I believe that Klee is in charge of new maintainer verification, so he'd probably have some ideas about what to ask. I was thinking that a cron job could build an official list of developers every day, and put that on master. I thought of several authentification schemes: 1) Assign everybody a password (running on a web server somewhere) - this is probably easiest, but then everybody has another password to worry about. 2) Place the system on master.debian.org, and authenticate against /etc/passwd using the user account passwords - the disadvantage of this is that it requires mucking around with the web server on master. Also, authenticating against the passwords on master could possibly be a security hole. 3) Set up a Debian SSL Certificate Authority - we could place the users certificates in their directories on master (read-only) - or mail them to them in encrypted form - then they could install the certificates in their web browsers (following instructions or via a CGI) - then they could access a SSL web server and be authentificated that way - this method has the advantage that we could assign one certificate to each developer, and this could be used to authenticate them on multiple servers (for different purposes) around the world without having to tie the servers together in some common authentification scheme. All the servers would have to do is trust the CA. 4) Build a system based on PGP signed e-mail - this would be hard to use I was favoring #3. I wanted to build the system using Postgres and CGI scripts, but a relational database isn't really necessary. > What do people think? if it is acceptable, I'll send out a > developer ping explaining this and asking for a pgp-signed reply with > location data. Sounds like a good start to me. Long term, it would be nice to have an automated system - especially when we get 500 developers. Cheers, - Jim
Attachment:
pgpQW1n0swgOx.pgp
Description: PGP signature