[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gpg changesets (was Re: Bits from the DPL: DSA and buildds and DAM, oh my!)

On Fri, Feb 23, 2007 at 11:15:00PM -0500, Joey Hess wrote:
> Changed-By: Joey Hess <joeyh@debian.org>
> Comment: Removing an old email address.

I'm not sure that's plausible -- afaik the keyring gets synced to the
real keyservers for new signatures and uids, so removing addresses
doesn't work; though iirc you can do a revocation of a uid these days.

> Changed-By: Joey Hess <joeyh@debian.org>
> Comment: Joey also wants to have two keys in the keyring, here's the new one.

From: joeyh
To: keyring-maint
Subject: Re: wtf is this new key??

> > Hey! What's with the new key? That's not mine! What's going on???
> You sent a signed mail requesting it, see attached.

Crap, that wasn't me. Looks like my key's been compromised. Here's a signed
disavowal of the new key, and a revocation of the old key. Please check for
any uploads signed with the new key, they could be trojans.

There should be some way of getting back to the original conversation
in case something goes wrong. I guess a field containing a URL to an rt
entry or similar would work?

> Note that this is a relative changeset: its action depends on the
> keyring it's run on, since it deletes uid 3 of 788A3F4C. 

That means you can't reorder changesets easily. I wonder if it'd be
better say "del uid joeyh@master.debian.org" and have the tool work out
which uid (if any) that is.

> Which points to the need for the review tool.

I wonder if review stuff should be somewhere for easy grepping? Things
like the keycheck.sh output included in AM reports would be useful to
have around.

> joey@kodama:~>cmp input.gpg TESTRING.gpg 
> joey@kodama:~>

Didn't you delete a uid as well as add and remove a key? Why aren't
there differences?


Attachment: signature.asc
Description: Digital signature

Reply to: