Bug#702908: PTS: upload signature parsing patch
On Thu, Mar 14, 2013 at 3:37 AM, Markus Wanner wrote:
> Keep in mind that the public keys must also be available, so we can
> lookup the UIDs of a key by fingerprint. Ideally with dynamic fetching
> from a keyserver. Not sure if that's feasible on quantz or not.
>
> Alternatively, we could / should use some existing database (UDD? LDAP?)
I guess we should just use a local copy of the keyring via rsync:
http://keyring.debian.org/
I guess we need historical data too, since people have left Debian and
the plan was to regenerate stuff for old mails?
Often the keyring will be out-of-date, so we also need to pull from
the keyservers.
> Well, how do you like this fixed?
How about "sponsored by someone" or "unknown sponsor"?
> I primarily wanted to know *who* sponsored a package, i.e. who signed. I
> don't care much if the signature is valid or not (at least not on PTS).
The fact that the package was sponsored is interesting info, no matter
who was the sponsor.
> Please keep in mind that i.e. a missing public key is neither the
> package maintainers nor the uploaders fault. Thus a warning about that
> doesn't belong on PTS, IMO.
I don't think we need a warning, just to say the package was sponsored.
--
bye,
pabs
http://wiki.debian.org/PaulWise
Reply to: