[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: a potential patch for sigcheck waiting for db.d.o indefinitely

On Sat, Jul 19, 2003 at 06:37:49PM +0200, Josip Rodin wrote:
> Hi,
> The signature checking script on lists.debian.org (for automatic posts to
> debian-{security,devel}-announce) tends to hang indefinitely while db.d.o is
> down, at the same time sitting on the CPU (!).
> <snip>
> How does that sound? This is basically guesswork, but it should make some
> sense, judging by the patch I just saw tbm post for a similar script in the
> qa CVS repo.
> Those Err{Msg,Type} have some significance (it seems like a global error
> handler of some sort, looking at the except: case below) but this failure
> is apparently not an EX_TEMPFAIL and I don't know what it is. :)
> (One may notice that I also changed the first attribute of the bind()
> function to include the existing LDAPDn variable... I don't know why it
> would work without it (possibly due to the old slapd on samosa), and it
> seems cleaner with it.)

Can we have it ignore the LDAP stuff if it can't find the server, instead
of aborting?

It currently uses LDAP for:
-checking that the fingerprint used only belongs to one person
-Getting the groups the owner of the fingerprint belongs it
-Checking that the group is the one that was given as an argument to sigcheck.

It checks the signature with its copy of /org/keyring.debian.org, so ldap is
really only used to check that the person is allowed to post to that list.

If you want to stop J. Random Developer from posting on the list, we can keep
a local copy of who is in the security group. While this list will lag behind
LDAP, it means that when db.debian.org goes down, there is still some 



Reply to: