On Mon, Jan 28, 2008 at 03:12:58 -0500, Shawn O. Pearce wrote: > Sam Vilain <sam@xxxxxxxxxx> wrote: > > This does force potential contributors to get PGP keys, and get them > > signed - but that seems to me to be a reasonable barrier of entry and > > may even help drive some PGP adoption. > > In many cases today such contributers would have been forced to get > an SSH account on the server they want to push to. Getting an SSH > account configured and a key installed may be more difficult than > generating a PGP key pair and emailing in the public key. Actually no. SSH key pair is good enough in current situation. In fact it might be *better* than SSH account, because with SSH account, the user either has or does not have write access, while with SSH key pair he is still subject to limitations enforced by the receive-hook. > Of course the PGP based system is nicer in that the administrator > might get a public key that has been signed by others he trusts, > and thus is more readily able to verify that the contributor is > who they think it is. That, however, is an advantage of PGP. Obviously, additional rules can still be enforced by the receive-hook. -- Jan 'Bulb' Hudec <bulb@xxxxxx>
Attachment:
signature.asc
Description: Digital signature
