Re: [Savannah-hackers] savannah update

[Nic Ferrier]

Hugo Gayosso <address@hidden> writes:

> I am pro-security, and I really would like to see all CVS commit
> signed, all the releases signed, etc.  But I think people should be
> doing this because they have convinced themselves, otherwise real
> security will not be obtained because some people will not be
> following rules they do not agree with.
> 
> A typical example is when in companies people are forced to use
> different passwords for different applications, plus they have to
> remember certain access code for doors (physical door, and such), some
> people end up writing all the passwords and access codes and posting
> them on their monitor, etc. 
> 
> Or worse, they use the same password for their personal email (Yahoo,
> Hotmail, etc.) and for their corporate work!!!  (I have seen this
> behavior!!)
> 
> Another one that I have seen is when they lock up all their desk
> drawers but store the key in the pencil container on top of their
> desk!
> 
> In summary unless people are security conscious security measures
> might not be as effective as expected.
> 
> So, I think that a good approach would be to add this EXTRA service to
> Savannah and then encourage people to use it (offering training, help,
> and PATIENCE).  I hope that eventually more and more people would be
> using it.
> 
> Also perhaps offering a GNU GPG key server and such so a GNU web of
> trust can be implemented.  Ah!, and on all of the events where the GNU
> Project is present, have a GPG signing mini-event to make people aware
> of this, and possibly hooking up more people.
> 
> I don't think that this security measures should be forced even onto
> GNU projects as some maintainers might prefer to stop being
> maintainers of the package or fork it so it is not GNU anymore and
> therefore they don't need to follow those rules.  It should be an
> option to them too.

Hear Hear.


Nic