[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian upload monitor

On Thu, May 01, 2008 at 04:46:00PM -0400, Roberto C. Sánchez wrote:
> On Thu, May 01, 2008 at 05:58:40PM +0100, Enrico Zini wrote:
> > On Thu, May 01, 2008 at 05:25:16PM +0200, Thijs Kinkhorst wrote:
> > 
> > > Doesn't dak already send you an email when it processes an upload with your 
> > > key? What exactly does this add on top of that functionality?
> > 
> > The problem is that it seems to be possible to craft an upload that will
> > send an email elsewhere so you won't notice it.
> > 
> How so?  I'm sure the dak maintainers would like to know of this.  My
> understanding is that dak does it like this:
>  - extract ID of key used to sign upload
>  - lookup ID in Debian keyring

Those things it does.

>  - determine Debian account associated with key ID
>  - send email to that Debian email (unless the uploader's email, as
>    noted in the changelog entry, is one of the ones explicitly listed in
>    the key)

That it does very recently in case of sponsored uploads, but not for
other uploads.

It will always mail to the address in Changed-By.

I think for normal source uploads it will also mail to the Maintainer,
but I'm not sure about that.


Reply to: