[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Authentication with LP for DD's using gnupg

> On Sun, Jul 27, 2008 at 03:58:57PM +0100, Neil Williams wrote:
> > > > * Reinhard Tartler [Wed, Jul 23 2008, 04:36:39PM]:
> > > >> > How about activating it the first time they send a gpg-signed
> mail to
> > > >> > the mail interface?
> > How about simply allowing any DD to send gpg-signed email to add
> ^^
> That requires LP to know who is or isn't a DD. Currently it has no
> such
> knowledge, and I think it would require a fair amount of discussion to
> decide how best to get such information, with a none-too-elegant
> outcome
> (special-casing Debian out of all the projects in the world that
> Launchpad
> seeks to interface with), which is why I didn't suggest this.

As mentioned in other replies, Debian is a special case for Ubuntu IMHO.

> That doesn't mean that the Launchpad developers won't implement it;
> perhaps
> the bug Scott filed will bear fruit. But I think it's worth
> considering
> other solutions in the meantime.

Had an idea last night:

What about the .dsc files?

.changes files are lost (so we don't have access to the Changed-By:
field) but .dsc is retained in the Debian pool and therefore available
to the Ubuntu sync process. The .dsc exists for all packages.

It would be relatively simple to process the .dsc:

1. gpg verify the .dsc
2. parse the output to get the ID list
3. Compare the ID list against the Maintainer and Uploader control
4. If there is a match, add that GnuPG key as an authenticated DD for
the purposes of bug reports - accept any email signed by that GnuPG key
into the bug email system.

This excludes sponsored packages (which is probably correct), it
excludes NMU's (which is probably fine too). It works on the basis that
the signature has been accepted by dak in the first place. Removals
might have to be manual - although it could be possible to track the
number of packages assigned to each key and remove if that number falls
to zero?

Is that sufficient to identify a DD? It's not bullet proof and it might
exclude some but this is only for a website login, it's not as if this
method authenticates a DD to modify Ubuntu itself.


Neil Williams

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: