Re: State of the debian keyring
Enrico Zini writes ("Re: State of the debian keyring"):
> ...which reminds me of http://www.enricozini.org/2008/tips/audit-uploads/
> which was a prototype of creating an audit log of key usage in debian.
> This means hooking into any place where a signature verification or a
> decryption actually happens in Debian: I can think of uploads,
> db.debian.org, voting, keyring requests, RT tickets filed, emails
> received by lists or the BTS: are there more?
My (not-yet-deployed) dgit push receiver (to support, amongst other
things, dm uploads), which depends on tags signed by dm pgp keys.
ssh push to alioth. (Sorry to add a very hairy yak to your plan.)
> So I can't just open vim and write the code: auditing key usage in
> package uploads requires someone who knows dak inside out, and can
> commit to maintaining notification triggers in all obscure corners where
> keys are used, now and in future updates of the ftp-master toolchain.
> Same goes for any other bit of Debian.
Perhaps we could provide a patched version of gpg[v] which phones home
to report the verification.
> The starting point for this work is probably this, then: is it just me,
> feeling that we have a problem here, or am I actually in the good
> company of people who can do their bit?
I think this would be nice, and having a partial audit would be better
than no audit.