[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mentors upload authentication

This one time, at band camp, Michael Gilbert said:
> On Thu, Feb 16, 2012 at 1:17 AM, Stephen Gran wrote:
> > This one time, at band camp, Michael Gilbert said:
> >> Based on discussion about making mentors official, one of the key
> >> requirements is contributor DMUP agreement and upload authentication.
> >
> > I think that there are two main problems with this idea:
> >
> > First, alioth, while having an infrastructure for ssh keys, doesn't know
> > anything about gpg keyrings and signed packages and so on, so all of
> > that work still has to be done (and this is the hard bit - distributing
> > ssh public keys is easy).
> In terms of gpg public keys, the user could simply upload theirs to a
> public_html alioth location, which would allow the mentors scraping
> algorithms to pick that up.  That process itself would be rather
> simple, and could be documented in a set of wiki instructions.  Why
> are you thinking that's going to be hard?

Most people go to a lot more trouble to make sure gpg signatures are
valid and trustworthy than just downloading them from a random home
directory on a machine where accounts are created on demand.  I'm not
sure what level of identification you're looking for here, but that
seems so trivial to subvert it makes me think you'd be better off
without it.

I'm assuming that the backstory here is that ftpmaster want signed and
identifiable uploads.  I think this idea fails that test, myself.

> > Second, I think requiring all contributors on alioth to sign the DMUP is
> > a very bad idea.
> Alioth is Debian machine, and its listed on
> http://db.debian.org/machines.cgi, which is linked from the DMUP
> (http://www.debian.org/devel/dmup).  I don't really understand why
> alioth is so special that it deserves a free pass from the DMUP.  It's
> a rather non-demanding agreement anyway.
> Just to be a bit more clear, of course DDs and DMs who've already
> agreed to the DMUP shouldn't have to do it again.

Just to be clear, alioth is not a regular debian.org machine.  It isn't
admined by the same team, accounts are not handled in the same way,
and privileged groups on Debian machines have no special privilege on
alioth machines.

Yes, the 2 machines that make up the alioth service are in the normal
debian ldap, as are several other non-DSA admin'ed machines (exodar,
strauss, sumotsu, etc).  You don't need to sign the DMUP to use those
machines either, as far as I'm aware.  Their presence in LDAP is an
implementation detail of the system that exports accounts to the machines.

> > We host some external project like SANE that have no
> > reason to want to sign agreements about their usage of machines they'll
> > never log in to.
> I don't think it would be that arduous for external contributors to
> sign the DMUP as it's a rather non-demanding and sane document anyway.

I do believe it will be arduous to go find all the people who currently
use alioth who are not DDs and ask them to sign something in order to
retain their access to a service they use.

> > Even if we did think it was a good idea, account
> > creation is entirely automatic and on demand - we have no way of
> > ensuring people have read and agreed to something beyond adding a click
> > through web page at creation time or something (ick!).
> You could change your process to do something like launchpad with
> their code of conduct (i.e. contributors can/should gpg sign and
> upload it).  That is optional on launchpad, but I think it should be
> required for the DMUP.

To recap, I still don't think alioth is a good fit for this.  I think
you're trying to shoehorn something that works with launchpad onto an
entirely different system, and it doesn't fit very well for a variety of

|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |

Attachment: signature.asc
Description: Digital signature

Reply to: