Re: [Savannah-hackers] savannah update

[Hugo Gayosso]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Loic Dachary <address@hidden> writes:

>       I agree. The only part I have doubts about is to make that a
> requirement. A new hosting facility could start with this
> requirement.

[...]

> As a project leader I would be shocked if the hosting facility I
> rely on *changes* its policy to teach me a lesson I'm forced to
> hear.

I think Loic has a very valid point here.

I am pro-security, and I really would like to see all CVS commit
signed, all the releases signed, etc.  But I think people should be
doing this because they have convinced themselves, otherwise real
security will not be obtained because some people will not be
following rules they do not agree with.

A typical example is when in companies people are forced to use
different passwords for different applications, plus they have to
remember certain access code for doors (physical door, and such), some
people end up writing all the passwords and access codes and posting
them on their monitor, etc. 

Or worse, they use the same password for their personal email (Yahoo,
Hotmail, etc.) and for their corporate work!!!  (I have seen this
behavior!!)

Another one that I have seen is when they lock up all their desk
drawers but store the key in the pencil container on top of their
desk!

In summary unless people are security conscious security measures
might not be as effective as expected.

So, I think that a good approach would be to add this EXTRA service to
Savannah and then encourage people to use it (offering training, help,
and PATIENCE).  I hope that eventually more and more people would be
using it.

Also perhaps offering a GNU GPG key server and such so a GNU web of
trust can be implemented.  Ah!, and on all of the events where the GNU
Project is present, have a GPG signing mini-event to make people aware
of this, and possibly hooking up more people.

I don't think that this security measures should be forced even onto
GNU projects as some maintainers might prefer to stop being
maintainers of the package or fork it so it is not GNU anymore and
therefore they don't need to follow those rules.  It should be an
option to them too.


Greetings,
- -- 
Hugo Gayosso
GNU Savannah Support
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFACKxkMNObVRBZveYRAvscAJ44We45yWvEQ5iIn8Ph29j6TOU9ewCePnwF
iP/lWj8T8DNGHGneShvhMtQ=
=+sv5
-----END PGP SIGNATURE-----