Re: Misc development news (#8)

To: debian-project@lists.debian.org
Cc: debian-admin@lists.debian.org
Subject: Re: Misc development news (#8)
From: Steve Langasek <vorlon@debian.org>
Date: Sat, 31 May 2008 15:21:22 -0700
Message-id: <20080531222122.GA10366@dario.dodds.net>
Mail-followup-to: Steve Langasek <vorlon@debian.org>, debian-project@lists.debian.org, debian-admin@lists.debian.org
In-reply-to: <20080530185202.GE20197@ouaza.com>
References: <20080530185202.GE20197@ouaza.com>

> Mail-Followup-To: debian-devel-announce@lists.debian.org

(Heh, eew)

On Fri, May 30, 2008 at 08:52:02PM +0200, Raphael Hertzog wrote:
> The news are collected on http://wiki.debian.org/DeveloperNews
> Feel free to contribute.

> ~/.ssh/authorized_keys will remain disabled by default
> ------------------------------------------------------

>  Peter Palfrader announced on debian-infrastructure-announce[1] that DSA
>  will not reenable the usage of ~/.ssh/authorized_keys. One should use the
>  official LDAP infrastructure[2] to setup key-based SSH connection to
>  debian.org machines. There's an exception however, quoting Peter:

> > Should you need keys only on specific hosts for automated tasks like
> > updating stuff or syncing files between project machines or similar
> > we can enable a user editable authorized_keys file for specific users
> > on specific hosts.  Usually we would expect those keys to be limited
> > to use only from certain hosts (using from="<xyz>") and limited to
> > allow execution of only certain commands (using command="<foobar").
> > Contact DSA if you have such a case.

I think this is a great example of why announcements like this should be
sent to debian-devel-announce in the first place, instead of being relegated
to the debian-infrastructure-announce list that most developers aren't
subscribed to.

- it's going to end up on d-d-a anyway because it's of sufficiently general
  concern that someone will forward it there
- d-d-a is the list that all developers are supposed to be subscribed to,
  which means that's the list where announcements of general interest
  *should* go.

Peter, please don't fragment our news feeds in this manner.  At least
provide this kind of information on *both* announcement lists, instead of
hiding it only on the infrastructure-announce list among other messages that
don't generally affect developers.  This is information that does need to go
to /all/ developers, not just to the infrastructure-announce list, because
it's not just a maintenance notification - it's a policy change that affects
how all developers interact with the project resources.

Also, could someone please elaborate on what:

  The use of ~user/.ssh/authorized_keys files has been disabled since
  DSA1571 was announced.  While our initial plan was to allow them
  again eventually some bad experience with DDs' key handling has
  led us to reconsider that intent.

... that means?  What bad key handling was seen that warrants such a policy
change?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Reply to:

Follow-Ups:
- Re: Misc development news (#8)
  - From: Peter Palfrader <weasel@debian.org>

Prev by Date: Re: DEP1: how to do an NMU
Next by Date: Re: DEP1: how to do an NMU
Previous by thread: Re: DEP1: how to do an NMU
Next by thread: Re: Misc development news (#8)
Index(es):
- Date
- Thread