On Sat, Nov 19, 2005 at 10:03:58PM +0000, Kurt Lieber wrote: > On Sat, Nov 19, 2005 at 01:51:15PM -0600 or thereabouts, Brian Harring wrote: > > Stop pointing at one interpretation of it that sucks, when the glep > > _does_ leave it open to you how to implement it. It's a waste of > > people's time and bandwidth, and is a bit disenguous. > > I'm trying to find a solution to the issues as I see them. Telling me I'm > wasting people's time and bandwidth doesn't seem conducive to working > together towards a resolution to this all. If you're going to say, "it was > passed, you guys just have to find a way to implement it. now please stop > bothering us" then I'm going to come up with an implementation plan that > looks something like the following: > > * all SSH keys and email addresses for arch testers will auto-expire after > 60 days. If an arch tester needs to have continued access, a gentoo dev > will have to re-submit the key and recreate the alias for that arch > tester every 60 days. > > That meets the requirements of the GLEP down to the letter and also > satisfies infra concerns around key management. However, it's a crappy > solution. > > So, I'd much rather work together towards finding a better one.
Simple solution, that I've repeatedly pointed at. Use the existing ldap setup. It's not infra's responsibility to add their accounts nor disable them (that is left in the air as stated, although I'd expect it'll fall on devrels head). Infra doesn't even do retirement beyond when _devrel_ asks them to. If that process is slow, ask for help and someone will chip in and improve it (mainly to minimize bottleneck involved). A simple script handling a pull from ldap sshPubKey attribute updating $USER/.ssh/authorized_keys on lark, you've got the cvs ro issue licked. Doesn't require anything crazy/new, and could be implemented in no time- no infra overhead beyond an initial setup cost for cvs, which I would be willing to implement myself. It's minor to do it within existing framework, which is why I've stated it's daft pointing at the minimal requirement as admin hell. ~harring
pgp4TKmuIRnQz.pgp
Description: PGP signature
