[Python-Dev] Snakebite build slaves and developer SSH/GPG public keys

[Nick Coghlan]

On Thu, Aug 23, 2012 at 8:28 AM, Trent Nelson <trent at snakebite.org> wrote:
> Hi folks,
>
>     I've set up a bunch of Snakebite build slaves over the past week.
>     One of the original goals was to provide Python committers with
>     full access to the slaves, which I'm still keen on providing.
>
>     What's a nice simple way to achieve that in the interim?  Here's
>     what I was thinking:
>
>         - Create a new hg repo: hg.python.org/keys.
>
>         - Committers can push to it just like any other repo (i.e.
>           same ssh/authz configuration as cpython).
>
>         - Repo is laid out as follows:
>             keys/
>                 <python username>/
>                     ssh     (ssh public key)
>                     gpg     (gpg public key)
>
>         - Prime the repo with the current .ssh/authorized_keys
>           (presuming you still use the --tunnel-user facility?).

Make ssh and gpg directories and this sounds like a usefully secure
way to allow us to add extra keys (currently, there's a security hole
in the fact that requests to change our registered ssh key for access
are not themselves authenticated electronically)

Also, nice work on getting to this point, even though it turned out to
be a lot more work than you originally anticipated!

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia