On Thu, May 01, 2008 at 04:46:00PM -0400, Roberto C. Sánchez wrote: > I am curious how you could craft an upload that would use a key > (ostensibly not your own, since you would know what you are uploading > anyway) where you could use some random DD's key to do the upload > without an email going to that DD. It seems like you would need to > forge the GPG signature. For example, you have several IDs in your key. If I have reason to believe that you don't receive mail in one of them (for example, I can notice that a domain has expired, or I can send fake spam to all of them and see if one bounces), then I can use that address in Maintainer: and Changed-by:, and dak will mail there. But regardless of specific examples, this is an extra, complementary layer of security. The GPG key is our most important security token, and a way to track its usage is the least that we should have. Whether it belongs to QA or ftp-master, is what I'm trying to find out. Ciao, Enrico -- GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
Attachment:
signature.asc
Description: Digital signature