ANNOUNCE: Review requests

Matthew Miller mattdm at
Fri Mar 18 22:37:12 UTC 2005

On Fri, Mar 18, 2005 at 10:17:18PM +0100, Enrico Scholz wrote:
> GPG signatures are the only reasonable authentication; trusting in
> web-based logins in the age of auto-login features in webbrowsers is not
> very wise. Simple webbased logins are vulnerable against weaknesses in

But what's to keep someone from setting up a passphraseless GPG key, or
holding that in some key manager? It's not really all that different -- at
some level, you've got to trust your trusted developers to follow basic good

I'm not opposed to some sort of GPG signature-based process, but it needs to
be integrated enough with the tools people will be using (webbrowsers, most
likely) to make it not a burden.

> Ok, with "voting system" I meant a system supporting the QA votes like
> "ACCEPT" or "REJECT", and going into the next state. E.g. see page 25
> (real: 32) in
> (sorry, although image is in english, the rest of the text is only in
> german).

Oh, I see. Well, currently it works pretty well when the number of "votes"
needed is set at "1". :)

> I am more concerned about the reactions of the bugzilla developers. Their
> answers show that they do not understand the underlying HTTP protocol. IP
> based authentication must never be used for public HTTP services; you do
> not gain any security by it but it destroys functionality.

C'mon, you're overstating. You gain some security by it.

Matthew Miller           mattdm at        <>
Boston University Linux      ------>                <>

More information about the fedora-extras-list mailing list