Re: Debian maintainers' ssh keys
Jonathan McDowell writes (Re: Debian maintainers' ssh keys): [...] I'll be at DebConf. I'm happy to discuss some more concrete ideas about this there and potentially write code if I can be of assistance. I think doing that would be much more beneficial than trying to shoe-horn in some intermediate hack until then. OK, sure. FAOD I am also willing to write code if there is code that needs to be written. Ian. -- To UNSUBSCRIBE, email to debian-newmaint-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/21922.58455.507858.818...@chiark.greenend.org.uk
Re: Debian maintainers' ssh keys
On Sat, Jul 11, 2015 at 06:01:16PM +0100, Ian Jackson wrote: Jonathan McDowell writes (Re: Debian maintainers' ssh keys): There's no issue with keyring-maint changing to re-assign DM key addition tickets to DSA once the key is added. My assumption would be that DSA would then be responsible for closing the appropriate bug in the BTS once the LDAP side was done (keyring-maint currently do this as we're the end of the DM addition process). That sounds like agreement to me ? It's agreement from a team who will be minimally affected by the changes you are requesting in terms of workload. DSA will have to do more work (and seem to have agreed to that, though not responded about the extra BTS work), but also it will involved more work up front by the DM team. There was previous discussion about generally improving the DM workflow and getting it integrated into nm.debian.org so it's not handled via the BTS and instead follows a more similar process to DDs (which could thus include checks about the username being free or whatever else is required). I'm sure Enrico would appreciate help from anyone who had cycles to spare in getting that implemented. Was Enrico CC'd via one of these lists ? I've added him explicitly. (I assume you meant Enrico Zini.) I didn't add him because I know he's busy and has already indicated he has plans to work on this at DebConf: https://lists.debian.org/debian-project/2015/04/msg00036.html I'm also pretty sure he reads newmaint so would have caught up on it eventually. Does some document need to be updated ? I believe the issue is more than just let's update a policy. Enrico's fine idea is to tie DMs into the nm.debian.org web infrastructure, which will then mean things like username collisions will be better handled (and when a DM applies to be a DD that information will already be known). It will also move us away from the legacy system of DMs submitting BTS requests for their addition. I'll be at DebConf. I'm happy to discuss some more concrete ideas about this there and potentially write code if I can be of assistance. I think doing that would be much more beneficial than trying to shoe-horn in some intermediate hack until then. Also, how will we grandfather existing DMs ? That's a trickier question; we need a one off pass through them which allows them to chose a username without it then conflicting with any existing username or one already chosen by an in progress applicant. [It may be I've missed something about username selection that means it would be easy to get it added at the DM signup stage, but without one of that team jumping in to comment I can't see how it would be done without using the nm.d.o infrastructure.] J. -- Web [ Do I look like a f**king people person?] site: http:// [ ] Made by www.earth.li/~noodles/ [ ] HuggieTag 0.0.24 signature.asc Description: Digital signature
Re: Debian maintainers' ssh keys
Jonathan McDowell writes (Re: Debian maintainers' ssh keys): There's no issue with keyring-maint changing to re-assign DM key addition tickets to DSA once the key is added. My assumption would be that DSA would then be responsible for closing the appropriate bug in the BTS once the LDAP side was done (keyring-maint currently do this as we're the end of the DM addition process). That sounds like agreement to me ? Does some document need to be updated ? Also, how will we grandfather existing DMs ? There was previous discussion about generally improving the DM workflow and getting it integrated into nm.debian.org so it's not handled via the BTS and instead follows a more similar process to DDs (which could thus include checks about the username being free or whatever else is required). I'm sure Enrico would appreciate help from anyone who had cycles to spare in getting that implemented. Was Enrico CC'd via one of these lists ? I've added him explicitly. (I assume you meant Enrico Zini.) Thanks, Ian. -- To UNSUBSCRIBE, email to debian-newmaint-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/21921.19420.895424.365...@chiark.greenend.org.uk
Re: Debian maintainers' ssh keys
Peter Palfrader writes (Re: Debian maintainers' ssh keys): On Sun, 05 Jul 2015, Ian Jackson wrote: However, DMs currently do not have access to it because the backend service is accessed via ssh.[1] To solve this problem it is necessary to have a list of DMs' ssh keys, and make them authorised the same way DDs' keys are[2] for the dgit service user on gideon.debian.org. DSA isn't opposed to adding NMs to LDAP. If NM/keyring-maint is ok with that and files appropriate ticket and/or reassigns them accordingly, maybe that's an easy route? That would certainly work for me. (Note that for the purposes of the dgit service it doesn't matter if the set of people granted the restricted command ssh access to the dgit@ service user is slightly too large. The real access control is based on PGP-signed tags, checked against the keyrings and dm.txt.) Ian. -- To UNSUBSCRIBE, email to debian-newmaint-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/21914.23734.815364.480...@chiark.greenend.org.uk
Re: Debian maintainers' ssh keys
On Sun, Jul 05, 2015 at 09:43:30PM +0200, Peter Palfrader wrote: On Sun, 05 Jul 2015, Ian Jackson wrote: However, DMs currently do not have access to it because the backend service is accessed via ssh.[1] To solve this problem it is necessary to have a list of DMs' ssh keys, and make them authorised the same way DDs' keys are[2] for the dgit service user on gideon.debian.org. DSA isn't opposed to adding NMs to LDAP. If NM/keyring-maint is ok with that and files appropriate ticket and/or reassigns them accordingly, maybe that's an easy route? There's no issue with keyring-maint changing to re-assign DM key addition tickets to DSA once the key is added. My assumption would be that DSA would then be responsible for closing the appropriate bug in the BTS once the LDAP side was done (keyring-maint currently do this as we're the end of the DM addition process). There was previous discussion about generally improving the DM workflow and getting it integrated into nm.debian.org so it's not handled via the BTS and instead follows a more similar process to DDs (which could thus include checks about the username being free or whatever else is required). I'm sure Enrico would appreciate help from anyone who had cycles to spare in getting that implemented. J. -- Just because I'm paranoid | .''`. Debian GNU/Linux Developer doesn't mean they're *not* out | : :' : Happy to accept PGP signed to get me. | `. `' or encrypted mail - RSA | `-key on the keyservers. signature.asc Description: Digital signature
Re: Debian maintainers' ssh keys
On Sun, 05 Jul 2015, Ian Jackson wrote: However, DMs currently do not have access to it because the backend service is accessed via ssh.[1] To solve this problem it is necessary to have a list of DMs' ssh keys, and make them authorised the same way DDs' keys are[2] for the dgit service user on gideon.debian.org. DSA isn't opposed to adding NMs to LDAP. If NM/keyring-maint is ok with that and files appropriate ticket and/or reassigns them accordingly, maybe that's an easy route? Cheers, weasel -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-newmaint-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150705194329.ga15...@anguilla.noreply.org