On 20/07/15 12:18, Ian Jackson wrote:
Ben Caradoc-Davies writes ("Re: debian github organization ?"):I am not sure why this would be unacceptable to anyone. Authentication is your ability to prove who you are. GitHub accounts provide this.You're talking as if what is identified is a human being. But of course, it isn't. When you do a git push (or whatever) what is pushed is controlled by the computer you are using.
Of course. Humans lack a network interface. Authentication is the process whereby humans use tools they control to prove their identity. The integrity of these tools, the degree of control, and the care with which these tools are used appears to be your concern.
I would not want to use my workstation at work to push to Debian. Nor would I want to have to feed all the pushes I would do during my job through my netbook so they can be appropriately authorised.
What is your concern? That your workstation might be misused or compromised by someone in your workplace? Key logger? Remote access snooping? And that this compromise might be used for malicious purposes against Debian?
The github authorisation is in terms of ssh keys. I have ssh keys that live on my workstation at work. And I have ones that live on my own infrastructure.
GitHub recommend using SSH key passphrases, which provide a degree of protection against machine compromise:
https://help.github.com/articles/working-with-ssh-key-passphrases/ Kind regards, -- Ben Caradoc-Davies <ben@transient.nz> Director Transient Software Limited <http://transient.nz/> New Zealand