Re: Developer repositories for Debian
Raphael Hertzog <hertzog@debian.org> writes:
> On Mon, 06 May 2013, Joerg Jaspert wrote:
>> Nah, the webinterface just should end up like the DAM webinterface: You
>> do whatever you need, then click a button - and voila, there is
>> everything ready to copy/paste into a MUA. Send with sig, done.
> Why? This is just a band-aid and not what I would call a web interface.
> And except lazyness I don't see a good reason for that. Web interfaces
> can be secure (and with an audit trail in case of breach). After all we
> can manage our Debian passwords over a web interface...
That level of security isn't great, though. GPG keys are much more secure
than that password. What we would want for equivalent security in a web
interface is personal X.509 certificates.
I think it would be interesting to have that infrastructure in place, but
someone would need to build it (probably with some mechanism to bootstrap
GPG keys into X.509 certificates -- and be careful of expiration times and
figure out a good way to deal with revocation).
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: