[Python-Dev] [Infrastructure] Snakebite build slaves and developer SSH/GPG public keys

Thu Aug 23 01:52:54 CEST 2012

On Wed, Aug 22, 2012 at 7:03 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> On Thu, Aug 23, 2012 at 8:28 AM, Trent Nelson <trent at snakebite.org> wrote:
> > Hi folks,
> >
> > I've set up a bunch of Snakebite build slaves over the past week.
> > One of the original goals was to provide Python committers with
> > full access to the slaves, which I'm still keen on providing.
> >
> > What's a nice simple way to achieve that in the interim? Here's
> > what I was thinking:
> >
> > - Create a new hg repo: hg.python.org/keys.
> >
> > - Committers can push to it just like any other repo (i.e.
> > same ssh/authz configuration as cpython).
> >
> > - Repo is laid out as follows:
> > keys/
> > <python username>/
> > ssh (ssh public key)
> > gpg (gpg public key)
> >
> > - Prime the repo with the current .ssh/authorized_keys
> > (presuming you still use the --tunnel-user facility?).
>> Make ssh and gpg directories and this sounds like a usefully secure
> way to allow us to add extra keys (currently, there's a security hole
> in the fact that requests to change our registered ssh key for access
> are not themselves authenticated electronically)
>
Screw security, it would mean ssh keys would be self-serve! =) No more
having to email an alias that bugs Georg and Antoine to add a key when you
can do it yourself (or for the person who you nominated to gain commit
access).
This assumes, of course, that Georg, Antoine, and Martin are cool with this
can get some hook set up to make this work with our current setup.
>> Also, nice work on getting to this point, even though it turned out to
> be a lot more work than you originally anticipated!
>
I expect a TIP BoF update at PyCon US 2013 or else I consider this an early
April Fool's joke. =)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20120822/c906192b/attachment.html>