Re: people.debian.org to move to ravel

[Peter Palfrader <weasel@debian.org>]

On Thu, 28 Aug 2008, Steve Langasek wrote:

> One of the services running on gluck is lintian.debian.org, which until now
> has been available for all developers to use in doing archive-wide scans.
> Is this service no longer going to be available to developers at large?

Unknown.  We have not talked to the lintian folks yet on what we are
going to do with lintian.d.o, if in fact we do anything at all.

The first step is to get people.d.o out from the HP network because they
really don't want us shipping software from their place.

> > Ravel is a freshly installed system so there probably are a few packages
> > missing that you might need.  Please contact DSA at the debian-admin
> > mailinglist with requests.  Also, ssh logins are restricted to key based
> > logins, password based logins are not allowed.  Submit your keys to ldap
> > as documented on http://db.debian.org/.
> 
> What's the reason for this authentication policy, which differs from (AFAIK)
> all developer-public debian.org hosts to date?  Is this a sign of a broader
> policy change coming down the line?

It is.  Limiting an attacker's ability to easily jump from one
compromised box to another is something we really want to have.  Not
tomorrow, but eventually.

> I generally avoid using password authentication to Debian hosts, *except* in
> the particular case of scp'ing files from one Debian host to another because
> I don't have a key that I'm willing to do authentication forwarding on to
> Debian hosts, nor do I particularly want to use up my home bandwidth copying
> files up and down to move them between two remote hosts.  I would appreciate
> not having this use case impaired by policy changes of unclear origin.

I think it's pretty obvious why this policy change is something that
should have been done long ago.  That being said we are evaluating means
that will allow simple file transfers.