Neil Williams escribió: > What about the .dsc files? > > .changes files are lost (so we don't have access to the Changed-By: > field) but .dsc is retained in the Debian pool and therefore available > to the Ubuntu sync process. The .dsc exists for all packages. > > It would be relatively simple to process the .dsc: > > 1. gpg verify the .dsc > 2. parse the output to get the ID list > 3. Compare the ID list against the Maintainer and Uploader control > fields. > 4. If there is a match, add that GnuPG key as an authenticated DD for > the purposes of bug reports - accept any email signed by that GnuPG key > into the bug email system. > > This excludes sponsored packages (which is probably correct), it > excludes NMU's (which is probably fine too). It works on the basis that > the signature has been accepted by dak in the first place. Removals > might have to be manual - although it could be possible to track the > number of packages assigned to each key and remove if that number falls > to zero? > > Is that sufficient to identify a DD? It's not bullet proof and it might > exclude some but this is only for a website login, it's not as if this > method authenticates a DD to modify Ubuntu itself. > > > Had an idea last night: What happens when the maintainer is a team and in the same upload there are two guys (very usual) listened on changelogs, just ignore them managing bugs? Greetings, Dererk
Attachment:
signature.asc
Description: OpenPGP digital signature