DM upload permissions in detail

To: debian-devel@lists.debian.org
Subject: DM upload permissions in detail
From: Arno Töll <debian@toell.net>
Date: Tue, 26 Apr 2011 11:03:49 +0200
Message-id: <[🔎] 4DB68A75.8040306@toell.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there,

I've been asking this question on debian-mentors before, but people
involved into this process might be better addressed through d-d, so I
hope you don't mind as I got there no answer so far.

I was wondering what the exact requirements for DM uploads to the Debian
archive are. The Wiki tells [1]:

"Packages signed by a key in the debian-maintainers keyring will be
accepted if the [..] the previous version of the package contains this
maintainer's primary UID"

Now, what's exactly meant by primary UID? The primary GPG UID? If yes,
am I right when I assume signing a package with a non-primary GPG UID
or even more with a sub key won't work to fulfill DM upload rights?

I took a look into the dak source:


fpr = get_fingerprint(self.pkg.changes['fingerprint'], session=session)
...

def check_dm_upload(self, fpr, session):
...
        rej = False
...
        # uploader includes the maintainer
        accept = False
        for uploader in r.uploaders:
            (rfc822, rfc2047, name, email) = uploader.get_split_maintainer()
            # Eww - I hope we never have two people with the same name
in Debian
            if email == fpr.uid.uid or name == fpr.uid.name:
                accept = True
                break

This seems to support my assumption as only a single, i.e. the first UID
of the fingerprint is verified for DM upload permissions. Given that the
following fictional key would not work:


pub   1024D/.... 2004-07-07
      Key fingerprint = ... ... ... ... ...
uid                  John Doe <john@example.com>
uid                  John Doe <john@example.net>
sub   1024g/... 2004-07-07
sub   4096R/... 2011-01-01
sub   4096R/... 2011-01-01

when the 4k sub key altogether with the example.net UID would be used to
sign packages, right? That would be bad and a pure artificial
constraint. On the other hand good to know now, before I actually tried
to get DD signatures for that key ;)


[1] http://wiki.debian.org/DebianMaintainer

- -- 
with kind regards,
Arno Töll
GnuPG Key-ID: 0x8408D4C4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNtop0AAoJELBdpXvEXpo90+oP/Rmu5jGGdymZN1RKbxt3hu55
Tet1+IZ5t+eora5+Q5dUaiBVc2qUAY9ZSGyV5+SDzPFYygbOzsjVKkiB5RknLHcD
HA+e30J2MLSnqGFCx9uzmRtni75I6PnPqGIEcnzDwdGfCqwK2+srWnHF6604s7/s
VfuGMzKVrz4nftrKMC9j4fd/urqgW+AtzeB1Zpp6c22vH8PIy67wZi1v0kTymNsE
+VzgfLXb7jWBRBznOTyUsk6LZC0If695VVCmBLy4snElThEpuHdVF6vK1rFxzaSD
iLtl1+VnVVYAsBLJk87FQ11KWtKIROIAf0lV51NyyeSdpa8mgQlaGinRIrRuAL9d
+vZmwBQtzzhYvit57okowQnVs6isZjfnLywDmpkcF77ZMUpw+earlqvwhkLzUxLN
kcAccDO4HrHNxHiVxV/jC4DEnhmRbwnr47CYFLhuuAWmmrRlCrOLKk5N81d4G8MN
ChlfwPt4ho3yGsBef76/Pchm3G6qMEWXzGUAT8HNvdK4DMkJHJpSmr6Hp30RGgrE
AM8Zt3fyAF2C259HKuhx4qkkGCCmz6f8EtQhHmWo42UZ+EtsqbgijemhbY9S+V4W
Ax20bFLcRLI7phFgbCLwzamJ7COTqGMh+D6C0usv9dOZd2S4gheS6pf86L1CqxgJ
mWpPrwl/mzlNEIXaxr6q
=7UWP
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: DM upload permissions in detail
  - From: Torsten Werner <twerner@debian.org>

Prev by Date: Bug#624183: ITP: cminpack -- software for solving nonlinear equations and nonlinear least squares problems
Next by Date: Re: limits for package name and version (MBF alert: ... .deb filenames)
Previous by thread: Bug#624183: ITP: cminpack -- software for solving nonlinear equations and nonlinear least squares problems
Next by thread: Re: DM upload permissions in detail
Index(es):
- Date
- Thread