[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian upload monitor

On Thu, May 01, 2008 at 04:46:00PM -0400, Roberto C. Sánchez wrote:

> I am curious how you could craft an upload that would use a key
> (ostensibly not your own, since you would know what you are uploading
> anyway) where you could use some random DD's key to do the upload
> without an email going to that DD.  It seems like you would need to
> forge the GPG signature.

For example, you have several IDs in your key.  If I have reason to
believe that you don't receive mail in one of them (for example, I can
notice that a domain has expired, or I can send fake spam to all of them
and see if one bounces), then I can use that address in Maintainer: and
Changed-by:, and dak will mail there.

But regardless of specific examples, this is an extra, complementary
layer of security.  The GPG key is our most important security token,
and a way to track its usage is the least that we should have.

Whether it belongs to QA or ftp-master, is what I'm trying to find out.



GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>

Attachment: signature.asc
Description: Digital signature

Reply to: