Make ldap account for marlowe

We should make an account for marlowe so he can have access the rpm git repo

Preferred username: marlowe first/middle/last name: Patrick Ryan McDonald forwarding email address: marlowe@antagonism.org pgp key fingerprint: FEF9 1952 38AC F8F6 E2DB C654 04F8 9D1C A2D1 E972

added component::company priority::medium resolution::fixed status::closed type::task labels

I agree that we should, but: this key is signed only by marlowe? Do you know anybody near you that we know that you could get to sign it?

arma must be testing if I'm watching the bugs list... I do have concerns about giving ldap accounts to every random person, but requiring that some random friend of a friend meet them in person is not the right bar, imo..

What is the concern here? What risks do we incur by giving an owner of a gpg key some level of access to our infrastructure? How many of these risks still exist if we simply make sure that the owner of this gpg key is actually the same person who volunteered to make rpms for us?

I'm not saying there is no risk... I'm just wondering what problems we're trying to solve by requiring an arbitrary person to meet someone else in person.

I will see what I can do about getting my key signed by some people known by the Tor project. Is there anything else I need to provide?

Trac:
Cc: arma, phobos to arma, phobos, marlowe@antagonism.org

marlowe: I've developed a magical ritual that should obviate the need to get your papers inspected and your orifices sniffed by concentric rings of unwashed beardos:

1. Post a url here to something signed with your key (preferably wherever you are currently hosting your rpm prototypes).
2. Verify your own signature yourself from two or more different tor circuits, to ensure you weren't MITM'd on your end.
3. We'll perform the same verification on our side, to ensure we see the same key.

All we really care about in terms of key authentication is that whoever is building rpms is the same person as who was volunteering to do so. We don't really care about your name or your government-issued ID. Or at least we shouldn't...

However, for my own peace of mind, it would be nice if we could find some way to authenticate that the rpms you produce actually come directly from the git sources. Ie: someone else can take the .spec file, the sources from git, and the patch set and build an identical rpm on a clean VM with the same sha1sum. See #3688 (closed).

I'm not sure how we can do this and also have signed rpms, though.. But maybe there is a way to strip the signature from an RPM and then take the sha1sum?

Replying to arma:

I agree that we should, but: this key is signed only by marlowe? Do you know anybody near you that we know that you could get to sign it?

I have met marlowe before, he has my phone number, and I will be able to recognize his voice if he calls to verify the fingerprint of his public key. Will this be sufficient?

Replying to runa:

Replying to arma:

I agree that we should, but: this key is signed only by marlowe? Do you know anybody near you that we know that you could get to sign it?

I have met marlowe before, he has my phone number, and I will be able to recognize his voice if he calls to verify the fingerprint of his public key. Will this be sufficient?

That works for me, though technically you should sign something that says his fingerprint is the same as the above. If you just comment here without a signature, we're just relying on trac security...

But my comment about reproducible builds still stands. No matter how many people have smelled marlowe, his build machines could still get compromised.

Mike, this isn't the place for your rants against the web-of-trust or pgp keysigning in general. Take that elsewhere, thanks.

ping me when y'all have figured out if the original request as such should be handled.

Trac:
Status: new to assigned
Owner: weasel to N/A

I say we proceed with making the account. marlowe should get his key signed, and meet more Tor people, but that shouldn't block making our rpms not suck.

I agree with Mike about his hope of making reproducible rpms. That should be a separate ticket, or just something marlowe keeps in mind, once this ticket is resolved.

Trac:
Cc: arma, phobos, marlowe@antagonism.org to weasel, arma, phobos, marlowe@antagonism.org

Replying to weasel:

Mike, this isn't the place for your rants against the web-of-trust or pgp keysigning in general. Take that elsewhere, thanks.

Weasel, I was not just ranting, I was proposing an alternate protocol for key authentication. I do not believe we should force individuals to divulge their name and/or participate in a broken process when alternatives are available. I reiterated my feelings only because arma seemed to be advocating actually participating in the government-authenticated and social-network based WoT process as if it were the only option we have for authenticating keys.

I also don't believe volunteers should be forced to divulge their social circle as a requirement for joining the project, even if their social circle doesn't happen to enforce the government-authenticated identity aspect of the WoT.

I believe these things very strongly. I am sorry if you feel that proposing alternative authentication mechanisms constitutes ranting against the WoT.

However, now I /am/ ranting. But you have only yourself to thank for that ;)

Final information collected: Patrick Ryan McDonald marlowe@torproject.org: Assigned UID: 2032 GID: 2032 Email forwarded to: marlowe@antagonism.org GECOS Field: "Patrick Ryan McDonald,,,," Login Shell: /bin/bash Key Fingerprint: FEF9195238ACF8F6E2DBC65404F89D1CA2D1E972 Continue [No/yes]? yes Updating LDAP directory..

Trac:
Resolution: N/A to fixed
Status: assigned to closed

closed