ANNOUNCE: Review requests
Matthew Miller
mattdm at mattdm.org
Fri Mar 18 22:37:12 UTC 2005
On Fri, Mar 18, 2005 at 10:17:18PM +0100, Enrico Scholz wrote:
> GPG signatures are the only reasonable authentication; trusting in
> web-based logins in the age of auto-login features in webbrowsers is not
> very wise. Simple webbased logins are vulnerable against weaknesses in
But what's to keep someone from setting up a passphraseless GPG key, or
holding that in some key manager? It's not really all that different -- at
some level, you've got to trust your trusted developers to follow basic good
practices.
I'm not opposed to some sort of GPG signature-based process, but it needs to
be integrated enough with the tools people will be using (webbrowsers, most
likely) to make it not a burden.
> Ok, with "voting system" I meant a system supporting the QA votes like
> "ACCEPT" or "REJECT", and going into the next state. E.g. see page 25
> (real: 32) in
> http://www-user.tu-chemnitz.de/~ensc/diplom/main-DE-oneside.pdf
> (sorry, although image is in english, the rest of the text is only in
> german).
Oh, I see. Well, currently it works pretty well when the number of "votes"
needed is set at "1". :)
> I am more concerned about the reactions of the bugzilla developers. Their
> answers show that they do not understand the underlying HTTP protocol. IP
> based authentication must never be used for public HTTP services; you do
> not gain any security by it but it destroys functionality.
C'mon, you're overstating. You gain some security by it.
--
Matthew Miller mattdm at mattdm.org <http://www.mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
More information about the fedora-extras-list
mailing list