Re: Misc development news (#8)
> Mail-Followup-To: email@example.com
On Fri, May 30, 2008 at 08:52:02PM +0200, Raphael Hertzog wrote:
> The news are collected on http://wiki.debian.org/DeveloperNews
> Feel free to contribute.
> ~/.ssh/authorized_keys will remain disabled by default
> Peter Palfrader announced on debian-infrastructure-announce that DSA
> will not reenable the usage of ~/.ssh/authorized_keys. One should use the
> official LDAP infrastructure to setup key-based SSH connection to
> debian.org machines. There's an exception however, quoting Peter:
> > Should you need keys only on specific hosts for automated tasks like
> > updating stuff or syncing files between project machines or similar
> > we can enable a user editable authorized_keys file for specific users
> > on specific hosts. Usually we would expect those keys to be limited
> > to use only from certain hosts (using from="<xyz>") and limited to
> > allow execution of only certain commands (using command="<foobar").
> > Contact DSA if you have such a case.
I think this is a great example of why announcements like this should be
sent to debian-devel-announce in the first place, instead of being relegated
to the debian-infrastructure-announce list that most developers aren't
- it's going to end up on d-d-a anyway because it's of sufficiently general
concern that someone will forward it there
- d-d-a is the list that all developers are supposed to be subscribed to,
which means that's the list where announcements of general interest
Peter, please don't fragment our news feeds in this manner. At least
provide this kind of information on *both* announcement lists, instead of
hiding it only on the infrastructure-announce list among other messages that
don't generally affect developers. This is information that does need to go
to /all/ developers, not just to the infrastructure-announce list, because
it's not just a maintenance notification - it's a policy change that affects
how all developers interact with the project resources.
Also, could someone please elaborate on what:
The use of ~user/.ssh/authorized_keys files has been disabled since
DSA1571 was announced. While our initial plan was to allow them
again eventually some bad experience with DDs' key handling has
led us to reconsider that intent.
... that means? What bad key handling was seen that warrants such a policy
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/