Bug#702908: PTS: upload signature parsing patch

To: Markus Wanner <markus@bluegap.ch>, 702908@bugs.debian.org, Ansgar Burchardt <ansgar@debian.org>
Subject: Bug#702908: PTS: upload signature parsing patch
From: Paul Wise <pabs@debian.org>
Date: Wed, 13 Mar 2013 11:23:29 +0800
Message-id: <[🔎] CAKTje6GjchL43B8NVcgLb_Fy7B-_KSbECL-1edGVp-SHejegLw@mail.gmail.com>
Reply-to: Paul Wise <pabs@debian.org>, 702908@bugs.debian.org
In-reply-to: <[🔎] 513F9F78.8060200@bluegap.ch>
References: <[🔎] 513F9F78.8060200@bluegap.ch>

On Wed, Mar 13, 2013 at 5:34 AM, Markus Wanner wrote:

> motivated by Paus Wise, I scratched my own itch: here's a patch that
> makes PTS parse GPG signatures - therefore being able to display a
> package's sponsor. Please review.

Awesome, thanks! We need more folks working on Debian QA
infrastructure, I hope you'll continue to help out :)

> I'm using GPGME, or rather its python binding, so python-gpgme becomes a
> dependency.

Unfortunately python-gpgme isn't installed on quantz yet, so the patch
can't be applied yet. I'll mail DSA about this.

> Currently, if there's anything wrong with the signature or the public
> key missing, there's no warning or anything. It will simply fall back to
> display the sender of the email, as before. Not sure if that's much of
> an issue.

I think that is an important thing to fix. I am also not qualified to
determine if your signature verification code is OK. I have added
Ansgar Burchardt to the recipients, he has been auditing Debian's GPG
verification code and finding issues. Ansgar, could you take a look at
the last hunk of this patch against the PTS code?

http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=support-sign-lookup.diff;att=1;bug=702908

> A public key may have multiple uids and the signature is only specific
> to the key, not any specific uid. But I only want to display a single
> uid. The way I implemented this now is: we take the first uid. Only if a
> later uid has an email ending in "@debian.org", we prefer that one.
> That's certainly not ideal. We could possibly do an LDAP lookup via the
> key's fingerprint on db.debian.org instead...

Hmmm, not sure what to say there. It seems like a reasonable approach for now.

> In the news.xml file, I replaced the "from" attribute of the news item
> with more fine grained "from_address" and "from_realname". However, I
> think existing entries will be kept, so the XSL-templates need to be
> able to parse both. At least that's how I've implemented it. If a
> complete rewrite of all news.xml files is feasible, the XSLTs could be
> simplified quite a bit.

I guess this is needed for the developer.php links, fair enough.

> I also added links to http://qa.debian.org/developer.php?login=$EMAIL
> for both, the sender and signer of the mail in the HTML display of the
> NEWS. Not in RSS.

Nice touch.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Bug#702908: PTS: upload signature parsing patch
  - From: Raphael Hertzog <hertzog@debian.org>
- Bug#702908: PTS: upload signature parsing patch
  - From: Markus Wanner <markus@bluegap.ch>

References:
- Bug#702908: PTS: upload signature parsing patch
  - From: Markus Wanner <markus@bluegap.ch>

Prev by Date: Bug#702924: marked as done (qa.debian.org: DDPO does not always show DM permissions given)
Next by Date: Bug#702908: PTS: upload signature parsing patch
Previous by thread: Bug#702908: PTS: upload signature parsing patch
Next by thread: Bug#702908: PTS: upload signature parsing patch
Index(es):
- Date
- Thread