On Thu, Feb 16, 2012 at 1:17 AM, Stephen Gran wrote: > This one time, at band camp, Michael Gilbert said: >> Based on discussion about making mentors official, one of the key >> requirements is contributor DMUP agreement and upload authentication. >> >> One thought I had recently was to move the file hosting functionality >> over to alioth, which already has the necessary authentication >> infrastructure. The process from a contributors perspective then >> would be something like: > > I think that there are two main problems with this idea: > > First, alioth, while having an infrastructure for ssh keys, doesn't know > anything about gpg keyrings and signed packages and so on, so all of > that work still has to be done (and this is the hard bit - distributing > ssh public keys is easy).
True, ssh pubkeys could be used as the authentication mechanism on mentors anyway. The issue is that mentor's isn't designed or intended to have users with full shell accounts. That's something much better served by a forge...like alioth. Also, ideally new contributors should be starting an alioth account anyway so they can start participating on teams. It would be nice if they only needed one account to participate in Debian (the alioth one). In terms of gpg public keys, the user could simply upload theirs to a public_html alioth location, which would allow the mentors scraping algorithms to pick that up. That process itself would be rather simple, and could be documented in a set of wiki instructions. Why are you thinking that's going to be hard? > Second, I think requiring all contributors on alioth to sign the DMUP is > a very bad idea. Alioth is Debian machine, and its listed on http://db.debian.org/machines.cgi, which is linked from the DMUP (http://www.debian.org/devel/dmup). I don't really understand why alioth is so special that it deserves a free pass from the DMUP. It's a rather non-demanding agreement anyway. Just to be a bit more clear, of course DDs and DMs who've already agreed to the DMUP shouldn't have to do it again. > We host some external project like SANE that have no > reason to want to sign agreements about their usage of machines they'll > never log in to. I don't think it would be that arduous for external contributors to sign the DMUP as it's a rather non-demanding and sane document anyway. > Even if we did think it was a good idea, account > creation is entirely automatic and on demand - we have no way of > ensuring people have read and agreed to something beyond adding a click > through web page at creation time or something (ick!). You could change your process to do something like launchpad with their code of conduct (i.e. contributors can/should gpg sign and upload it). That is optional on launchpad, but I think it should be required for the DMUP. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=mn+ufqnn61a7fbkatxnd1+rcebbrwdnrw59mfy6lgl...@mail.gmail.com
