Excerpts from Philip Brown's message of Tue Feb 08 23:24:20 -0500 2011: Hi Phil,
> I find it very odd that this voting issue be raised, without any > mention of why it was even brought up. (I'm not even sure why > myself) Well, I thought it was clear from the introduction. We've been in discussion with you about this and your point of view differs from ours. I've been considering how to bridge this gap and have even considered that your point of view is possibly correct. I'm not wholly convinced of that, but the points you made are not without merit. I also considered simply saying the equivalent of "my way or the highway" but didn't think that was appropriate for several reasons all of which are too obvious to mention. During our conversation, you said on more than one occasion that this issue is of the utmost importance to get right. I agree with this. Thus, as a group, we should decide how to do this. It should not happen based on your opinion, my opinion or that of the board as a group. Thus, I wrote the email last night to trigger this discussion with all members. Do you take issue with this decision being made by the full membership? If so, why? > the release manager, and the backup release manager. So it is > already redundantly held. Nothing slight against James, but as he's not a member, his holding the key does not count as redundancy for the purpose of this discussion. > you also do not make any statement of justification why -any- board > member position should hold a copy of the key, in addition to these > positions. As perhaps the most important record the community holds, it should be the responsibility of the board to hold it and delegate it's use in signing catalogs. > A question then should also be raised of whether "the board" is > expected to hold a copy of *all* digital assets at all times. This will be addressed in time. I won't speak for Maciej and Ihsan here, but my own though process is that the gpg key is the most important element and therefore a logical place to start. > For example, the root password, and database master passwords, for > every machine and service associated with opencsw. Currently, "the > board" does not hold such things in a formal sense, and as far as I > have heard, has no plans to do so as "a policy". Database, mailing list and similar passwords are one thing. Root passwords are different. I don't think that OpenCSW is going to tell Baltic Online or Gore to hand over passwords to servers. They are lending us the use of considerable resources and they do grant root access via sudo. I personally don't think it is our right to ask for the root password to those machines. > I have pointed this out to the board, and asked for an explanation > of why they think the signing key should be treated any differently > than these other secure assets. I have received no reply to that. No, you didn't get a reply. I apologize for that. > For my own personal opinion, I think that IF the membership deems it > appropriate that a board member always have a copy of the key, then > the treasurer seems like the appropriate position. I argue that the gpg key is equivalent to the royal signet. It is used to authenticate the validity of various documents. The secretary is the one charged with documents and their official status. Thus, if I had to choose a single board position to hold the key, my vote would be for the secretary. For redundancy purposes, I think that two or more positions should hold the key. In this scenario, my vote would be for treasurer and secretary. As the vote will allow selecting all or none of the positions, you'll be able to vote for whatever configuration you feel is appropriate. Please vote based on positions, though, not people. Thanks -Ben -- Ben Walton Systems Programmer - CHASS University of Toronto C:416.407.5610 | W:416.978.4302 _______________________________________________ maintainers mailing list [email protected] https://lists.opencsw.org/mailman/listinfo/maintainers .:: This mailing list's archive is public. ::.
