[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Ideas about a GR to fix the DAM

On Sat, Nov 17, 2007 at 02:36:25PM +0100, Mario Iseli wrote:
> on the #debian-newmaint there was just a (quite long) discussion started by
> Enrico Zini who had the idea to fix the DAM by adding 2, 3 more people via a GR. I
> think that this would be a good idea. There were also discussions about several
> (small) techincal problems, for example that if you have write access to the
> LDAP that you can add yourself to the "adm" group aka DSA.

As per [0] there are currently a bunch of different roles that're required
to work together for new DDs:

    1. DAM -- does the actual review of work so far to decide whether the
              person should be a DD
    2. keyring-maint -- adds/removes/updates keys in the keyring
    3. DSA -- maintains the LDAP database which provides access to
              .d.o machines and general information about DDs
    4. ftpmaster -- uses keyring-maint's keyring and DSA's ldap to
                    authenticate uploads for the archive

DAM (and FD, and AMs and nm.debian.org) is a policy position -- it's about
deciding who's allowed to do what, rather than a technical position that
involves keeping some software/hardware working; it's very subjective
and that's about it. Adding more DAMs (or AMs or FD members etc)
is straightforward.

keyring-maint is a technical position that occassionally overlaps with
the policy stuff that DAM usually handles. The technical part is just
managing a keyring securely, which is the same task as maintaining the
debian-maintainers package/keyring. Having that be managed by one person
(ie James Troup) who's had a lot of experience managing the keyring has
had the benefit that the keyring's been securely maintained, and the
drawback that change requests have often taken longer than people would
like. Managing the keyring by many people (as we're trying with the DM
keyring) is hopefully more scalable and efficient, but the security and
reliability of it is yet to be very well demonstrated.

DSA is likewise primarily a technical position involving keeping a bunch
of systems running. The main reason it's relevant here is that only a
limited number of changes to LDAP can be done by non-DSA members -- it's
possible for a DD to change their address or IRC nickname, eg, but if a
Debian team with an associated LDAP group (like ftpmaster and debadmin
and ftpteam; or the web team and webwml; etc) wants to add someone to
the group, a DSA member has to take the actual action, just as a DSA
member has to manually add or remove new developers approved by DAM. That
gives DSA an effective veto over a bunch of policy decisions, though I'm
personally not all that convinced it's a big problem. For this particular
case, the difficult is in adding keys to the keyring -- LDAP gets done at
the same time by James, and there's no point anyone else in DSA doing it
because without the keyring update, the new developer can't do anything.

> My Idea would be to give Joerg Jaspert full access to the LDAP and to the
> keyring, exactly as James Troup has now. 

To my mind that at best fixes a current symptom while reinforcing the
underlying systematic problem. 

The "DAM gets full access to everything" philosophy was pretty
straightforward back when Joey Schulze and James were both the entire
new-maintainer team and members of DSA. And that worked fine, right up
until James and Joey decided they were overworked and stopped until a
better method could be worked out, and then continued in an okay way
until James ended up being the only one doing DAM work, and made it
very difficult to get any sort of help because that would mean either
finding someone to trust with absolute power over the project (add/remove
developers, all authentication within the project, and full control of
all Debian machines), or reinventing the system.

Moving the project's absolute trust from James to Joerg might fix the
problems we have now (delays in account creation, delays in keyring
updates), or at least swap it for a different set of problems that
at least makes for an interesting change, but it keeps the exact same
system: the project's faced with the choice of letting Joerg do whatever
he wants, or removing him from a host of crucial roles and trying to
deal with the fallout that results.

For concreteness, I think a better *structural* solution to the problem
would be:

    (a) make keyring-maint maintained by multiple people and not include
	any policy decisions. ie, the maintainers should be able to
	be anyone who understands gpg, and can follow a simple set of
	procedures, not necessarily people we trust to decide who's in
	or out of the project, or to keep a bunch of high-visibility
	machines secure and operational

    (b) enhance the mail interface to LDAP to allow non-DSA members
	to make other changes, eg let particular DDs add other DDs to
	groups they're in charge of automatically, and let DAMs add or
	disable DD accounts

    (c) limit the number of overlapping roles people have -- ie, require
	folks to not be in more than two of DAM, DSA, ftpmaster,
	tech-ctte, policy, etc at any one time -- so that we stop creating
	these dependencies, particular for policy roles

I think jetring (used for the DM keyring), or a similar system is the way
to go for (a) in the long term, but if we're desperate for something in
the short term, we could just have someone else who we trust to maintain a
keyring maintain a seperate one, and have both DSA and ftpmaster use both
keyrings. That would preserve the security of the keyring by having the
master copies maintained exclusively on secure, non-networked machines by
people who're good with gpg, and once we're comfortable with maintaining
the DD keyring by some other means, we can just merge the keyrings.

I'd strongly suggest reading [0], from the paragraph beginning "The
primary reason why there's only one keyring-maint..." and [1] as
well before proposing changes in this area. Trading off security and
confidence in our keyring for quicker updates is something we *really*
want to avoid...


[0] http://lists.debian.org/debian-project/2007/02/msg00204.html
[1] http://lists.debian.org/debian-project/2007/02/msg00226.html

Attachment: signature.asc
Description: Digital signature

Reply to: