On Sat, Nov 19, 2005 at 05:06:15PM +0000, Kurt Lieber wrote: > For instance, the way GLEP 41 suggests doing r/o cvs is not going to work. > It suggests using a single account and placing an SSH key for each arch > tester in that account's ~/.ssh/authorized_keys file. text in question
"Get read-only access to the gentoo-x86 repository. This doesn't have to be individual accounts, a single account, without a shell, with all of their keys will be sufficiant." Note the "doesn't have to be" and "will be sufficient", it's left open to how y'all want to implement it. > There are no provisions for key management and I cannot see an easy way to > handle it. It's easy to add new keys, but how do we clean out old keys for > retired arch testers? (including arch testers that "retire" without ever > informing us) SSH doesn't log key ID as near as I can tell, so we have no > way of tracking what keys are used and how often. Also, how do we > definitively correlate an SSH key with an arch tester? > > Now, the same question for email -- how do we manage aliases, especially > for inactive, retired and semi-retired arch testers? We could track usage > in logs, but between mailing list subscriptions, bugzilla notifications and > all sorts of other automated emails, that's not an accurate representation > of whether an email alias is actively used or not. > > I talked to Lance and neither he nor I were consulted about this GLEP and > how feasible the implementation is. We both are quite concerned about the > issues that I've outlined above as well as others. > > This isn't a "we're refusing to implement this GLEP" email, btw, though I'm > sure some of you will take it as such. It is, however, a "we were never > consulted regarding implementation details, so there are still issues that > need to be worked out before this GLEP can go anywhere" email. Cvs concerns above are all based upon doing single account for cvs ro; again, it's stated as an option (iow, the option is left up to y'all). It's not mandating anything on you for cvs, reread it if you don't believe me. It's stating the base, that they only need the users to have cvs ro access... Either way, it's word games, and yes, it's kind of retarded. ~harring
pgpeRDvHy3OLW.pgp
Description: PGP signature
