[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DM Upload

On 06/28/2013 10:46 AM, Paul Tagliamonte wrote:
> On Fri, Jun 28, 2013 at 10:31:47AM +0800, Paul Wise wrote:
>> On Fri, Jun 28, 2013 at 9:39 AM, Paul Tagliamonte wrote:
>>> Some examples from the man page:
>>>    $ dcut dm --uid "Paul Tagliamonte" --allow glibc
>>>    $ dcut dm --uid 0x0DEFACED --allow glibc linux --deny kfreebsd9
>> Uhh, that should be changed to use the full fingerprint, please don't
>> teach people to use keyids.
> I do very much agree, however, in this case, it uses this --uid hint to
> look up the full fingerprint from the DM keyring, and prompts the user
> to verify the full fingerprint.
> I do agree it's bad to use short key IDs, but both dak and dput-ng are
> written to handle the full fingerprints internally :)
> Cheers,
>   T

Though, if the key isn't in the keyring file (which isn't updated very
often, probably about once every 3 months), then you got to use the
--force option, and then the full fingerprint should be advised. [1]

This isn't documented anywhere, so I thought I would share feedback. I
would very welcome such an addition in the man page of dcut.


Thomas Goirand (zigo)

[1] I raised this problem and wished that the keyring file was updated
more often, because then one has to trust whatever is downloaded from
the key server and the signatures attached to the DM gpg key you want to
allow, which isn't always nice (probably you didn't sign the keys of the
persons who signed the DM you want to allow, then you got to trust the
web of trust, which I would trust less than the keyring file which is
maintained with care, with no possibility of MiM attack (contrary to key
servers)). Though I was disappointed to read that there are discussion
about actually removing that file from the archive... :( (I hope I
understood correctly for this very last bit)

Reply to: