[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Services I'd like from auric

On Fri, Dec 19, 2003 at 02:15:33PM +0100, Martin Loschwitz wrote:

> There is yet another point that, while not bringing up new arguments on the 
> technical side, yet brings up another point of view: Restricting the access 
> to auric on the long term is a clear vote of no confidence against any Debian 
> developer with an account in LDAP DB -- even against those who _take_ care 
> of security and who do lots of efforts to avoid giving a chance to attackers
> (like not logging in from anywhere else than from a surely trusted place,
> not using passwords but SSH-Keys stored on encrypted USB memory sticks ...)

It is a standard mitigation strategy:  don't give access to sensitive
resources to people who don't need that access.  This is a vote of no
confidence in the claim that *ALL* developers with accounts in LDAP will
follow the desired security procedures (it only takes one who doesn't to
have a compromise), and it's a (wise) vote of no confidence by the
admins in their *own* ability to usefully distinguish those who would
follow the security procedures from those who won't.  It's reasonable to
assume that, if one is a DD, *someone* believed they had a brain on
their shoulders; but multiplying the odds of this not being true by 1000
developers, and exposing ftp-master to these odds, is not inherently

That said, I think the impact of closing access to auric has been
consistently understated because the effects of such access on the
project's efficiency are both subtle and diffuse.  Above all, access
empowers developers to find their own answers and seek their own
understanding, which isn't something to be traded away lightly.  There
have been plenty of assurances that everything on auric can be made
available elsewhere through mirroring, but it seems to me that there are
many other higher priority services to be restored before anyone is
likely to worry about mirroring the archive engine.

Locking down auric is a reasonable long-term strategy, but the
short-term impact of locking it down *before* mirroring has been
implemented is that the only people who can even work on the
implementation are the people who are already the most burdened
following the compromise; and that the only people who can get
certain kinds of information to the masses are people that I'm
(personally) reluctant to bother because they have other
responsibilities to attend.  How big a deal this becomes is really a
function of how short-term it is; but as a natural skeptic, I worry that
it won't be as short-term as people intend.

Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to: