[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Lists of Maintainers

> 	I'll bite. What were you planning on doing? Can we get an
>  effort started by just doing a maintainer ping, asking for the
>  location (city, country, latitude, longitude) and massage it into a
>  xearthe file? This is lo-tech, but is easy to do (I'll collate all
>  the data), and will set up an fairly upto date file for all people
>  willing to have this data made public.

Sounds like a good start.
> 	This could also be made an optional part of the new maintainer
>  process, to ensure the data is updated.
> 	Setting up a web based system can then be done at our leisure
>  (or maybe a pgp-signed email message can remain the interface).

I was going to concentrate on a web system which stored the data in
a back-end database.  The developers would be able to log-in and
update their own records.

As far as the information to be collected, I was thinking of collecting
both public data and confidential data.

The form would probably ask for name, e-mail, phone, address, country, 
latitude-longitude, PGP key, maybe even a X-Face or picon...

Some items would be private (like phone number), and used primarily for 
maintainer verification.  Other items would be public (like e-mail 
address).  Yet other items would only be public if the maintainer
approved of it.

I believe that Klee is in charge of new maintainer verification, so he'd
probably have some ideas about what to ask.

I was thinking that a cron job could build an official list of developers
every day, and put that on master.

I thought of several authentification schemes:

 1)  Assign everybody a password (running on a web server somewhere) 
         - this is probably easiest, but then everybody has another 
           password to worry about.
 2)  Place the system on master.debian.org, and authenticate against
     /etc/passwd using the user account passwords
         - the disadvantage of this is that it requires mucking around
           with the web server on master.  Also, authenticating against
           the passwords on master could possibly be a security hole. 
 3)  Set up a Debian SSL Certificate Authority 
         - we could place the users certificates in their directories
           on master (read-only) - or mail them to them in encrypted
           form - then they could install the certificates in their
           web browsers (following instructions or via a CGI)
         - then they could access a SSL web server and be authentificated
           that way
         - this method has the advantage that we could assign one 
           certificate to each developer, and this could be used to
           authenticate them on multiple servers (for different purposes)
           around the world without having to tie the servers together
           in some common authentification scheme.  All the servers would
           have to do is trust the CA.
 4)  Build a system based on PGP signed e-mail
         - this would be hard to use 

I was favoring #3.  I wanted to build the system using Postgres and CGI
scripts, but a relational database isn't really necessary.
> 	What do people think? if it is acceptable, I'll send out a
>  developer ping explaining this and asking for a pgp-signed reply with
>  location data.

Sounds like a good start to me.  Long term, it would be nice to have an
automated system - especially when we get 500 developers.


 - Jim

Attachment: pgpQW1n0swgOx.pgp
Description: PGP signature

Reply to: