On Thu, May 01, 2008 at 05:58:40PM +0100, Enrico Zini wrote: > On Thu, May 01, 2008 at 05:25:16PM +0200, Thijs Kinkhorst wrote: > > > Doesn't dak already send you an email when it processes an upload with your > > key? What exactly does this add on top of that functionality? > > The problem is that it seems to be possible to craft an upload that will > send an email elsewhere so you won't notice it. > How so? I'm sure the dak maintainers would like to know of this. My understanding is that dak does it like this: - extract ID of key used to sign upload - lookup ID in Debian keyring - determine Debian account associated with key ID - send email to that Debian email (unless the uploader's email, as noted in the changelog entry, is one of the ones explicitly listed in the key) I am curious how you could craft an upload that would use a key (ostensibly not your own, since you would know what you are uploading anyway) where you could use some random DD's key to do the upload without an email going to that DD. It seems like you would need to forge the GPG signature. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature