Re: Mentors upload authentication
On Thu, Feb 16, 2012 at 1:17 AM, Stephen Gran wrote:
> This one time, at band camp, Michael Gilbert said:
>> Based on discussion about making mentors official, one of the key
>> requirements is contributor DMUP agreement and upload authentication.
>> One thought I had recently was to move the file hosting functionality
>> over to alioth, which already has the necessary authentication
>> infrastructure. The process from a contributors perspective then
>> would be something like:
> I think that there are two main problems with this idea:
> First, alioth, while having an infrastructure for ssh keys, doesn't know
> anything about gpg keyrings and signed packages and so on, so all of
> that work still has to be done (and this is the hard bit - distributing
> ssh public keys is easy).
True, ssh pubkeys could be used as the authentication mechanism on
mentors anyway. The issue is that mentor's isn't designed or intended
to have users with full shell accounts. That's something much better
served by a forge...like alioth.
Also, ideally new contributors should be starting an alioth account
anyway so they can start participating on teams. It would be nice if
they only needed one account to participate in Debian (the alioth
In terms of gpg public keys, the user could simply upload theirs to a
public_html alioth location, which would allow the mentors scraping
algorithms to pick that up. That process itself would be rather
simple, and could be documented in a set of wiki instructions. Why
are you thinking that's going to be hard?
> Second, I think requiring all contributors on alioth to sign the DMUP is
> a very bad idea.
Alioth is Debian machine, and its listed on
http://db.debian.org/machines.cgi, which is linked from the DMUP
(http://www.debian.org/devel/dmup). I don't really understand why
alioth is so special that it deserves a free pass from the DMUP. It's
a rather non-demanding agreement anyway.
Just to be a bit more clear, of course DDs and DMs who've already
agreed to the DMUP shouldn't have to do it again.
> We host some external project like SANE that have no
> reason to want to sign agreements about their usage of machines they'll
> never log in to.
I don't think it would be that arduous for external contributors to
sign the DMUP as it's a rather non-demanding and sane document anyway.
> Even if we did think it was a good idea, account
> creation is entirely automatic and on demand - we have no way of
> ensuring people have read and agreed to something beyond adding a click
> through web page at creation time or something (ick!).
You could change your process to do something like launchpad with
their code of conduct (i.e. contributors can/should gpg sign and
upload it). That is optional on launchpad, but I think it should be
required for the DMUP.