On 03/13/2013 04:23 AM, Paul Wise wrote: > Unfortunately python-gpgme isn't installed on quantz yet, so the patch > can't be applied yet. I'll mail DSA about this. Keep in mind that the public keys must also be available, so we can lookup the UIDs of a key by fingerprint. Ideally with dynamic fetching from a keyserver. Not sure if that's feasible on quantz or not. Alternatively, we could / should use some existing database (UDD? LDAP?) >> Currently, if there's anything wrong with the signature or the public >> key missing, there's no warning or anything. It will simply fall back to >> display the sender of the email, as before. Not sure if that's much of >> an issue. > > I think that is an important thing to fix. Well, how do you like this fixed? I primarily wanted to know *who* sponsored a package, i.e. who signed. I don't care much if the signature is valid or not (at least not on PTS). Please keep in mind that i.e. a missing public key is neither the package maintainers nor the uploaders fault. Thus a warning about that doesn't belong on PTS, IMO. You might be able to convince me about other reasons that render a signature invalid, i.e. revoked keys, certs, CRC mismatches, etc.. then again, is PTS really the correct place to warn about such things? After all, it's barely related to the specific package you are looking at. > Ansgar, could you take a look at > the last hunk of this patch against the PTS code? I've just sent a corrected patch that is more verbose and clearer WRT signature checking. See here: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=32;filename=support-sign-lookup_v2.diff;att=1;bug=702908 Regards Markus Wanner
Attachment:
signature.asc
Description: OpenPGP digital signature