[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Developer repositories for Debian

Raphael Hertzog <hertzog@debian.org> writes:
> On Mon, 06 May 2013, Joerg Jaspert wrote:

>> Nah, the webinterface just should end up like the DAM webinterface: You
>> do whatever you need, then click a button - and voila, there is
>> everything ready to copy/paste into a MUA. Send with sig, done.

> Why? This is just a band-aid and not what I would call a web interface.
> And except lazyness I don't see a good reason for that. Web interfaces
> can be secure (and with an audit trail in case of breach). After all we
> can manage our Debian passwords over a web interface...

That level of security isn't great, though.  GPG keys are much more secure
than that password.  What we would want for equivalent security in a web
interface is personal X.509 certificates.

I think it would be interesting to have that infrastructure in place, but
someone would need to build it (probably with some mechanism to bootstrap
GPG keys into X.509 certificates -- and be careful of expiration times and
figure out a good way to deal with revocation).

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: