[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Authentication with LP for DD's using gnupg

Neil Williams escribió:
> What about the .dsc files?
> .changes files are lost (so we don't have access to the Changed-By:
> field) but .dsc is retained in the Debian pool and therefore available
> to the Ubuntu sync process. The .dsc exists for all packages.
> It would be relatively simple to process the .dsc:
> 1. gpg verify the .dsc
> 2. parse the output to get the ID list
> 3. Compare the ID list against the Maintainer and Uploader control
> fields.
> 4. If there is a match, add that GnuPG key as an authenticated DD for
> the purposes of bug reports - accept any email signed by that GnuPG key
> into the bug email system.
> This excludes sponsored packages (which is probably correct), it
> excludes NMU's (which is probably fine too). It works on the basis that
> the signature has been accepted by dak in the first place. Removals
> might have to be manual - although it could be possible to track the
> number of packages assigned to each key and remove if that number falls
> to zero?
> Is that sufficient to identify a DD? It's not bullet proof and it might
> exclude some but this is only for a website login, it's not as if this
> method authenticates a DD to modify Ubuntu itself.
> Had an idea last night:
What happens when the maintainer is a team and in the same upload there
are two guys (very usual) listened on changelogs, just ignore them
managing bugs?



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: