[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DM vs DD and security

Kevin Mark dijo [Mon, Mar 19, 2007 at 05:41:32AM -0400]:
> Hi,
> I was mulling over a 3-tiered Debian contributer system:
> Debian contributer(non-software contributer)
> Debian maintainer(software contributer with limited upload rights)
> Debian developer(software contributer with full upload rights)
> where a a DC and DM would not have access to debian.org machines.

Umh... I don't like that much viewing this as three tiers, three
consecutive stages you progress on as if you were progressing towards
nirvana :) And, besides, you left out the "voting rights" part, which
is quite important as well.

> I think the idea of limiting access to debian.org machines to DDs would
> be more secure than having all DC's and DM's have access. At least that
> is what I surmise. 
> Then I wondered what percentage of DDs require access to debian.org
> machines? 

Umh... Looking at Marga's answer, and thinking a bit on this, maybe
the answer leads somewhere else... As she points out, we all might
need access to a @debian.org machine every now and then, to get to
some information, to update our people.debian.org information, or
whatever - Now, what about this probably over-simplified workflow?

1- Nobody has access to @d.o machines by default
2- There is a subset of @d.o machines which accept DD login
   2.1- There might even be a sub-subset which accept DM or DC
         login. Worth considering :)
3- If a DD needs access to a specific machine, (he|she|it) sends a
   GPG-signed machine-readable message requesting access to the
   specific needed machine
4- After a given time, access will be automatically revoked
   4.1- If somebody often requires access to a machine or set of
        machines, (he|she|it) can request for permanently enabled

I think this would fit most of us quite nicely, and strongly help
prevent breakins like the ones we have suffered. What do you say?


Gunnar Wolf - gwolf@gwolf.org - (+52-55)5623-0154 / 1451-2244
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF

Attachment: signature.asc
Description: Digital signature

Reply to: