Bug#702908: PTS: upload signature parsing patch

[Paul Wise <pabs@debian.org>]

On Thu, Mar 14, 2013 at 3:37 AM, Markus Wanner wrote:

> Keep in mind that the public keys must also be available, so we can
> lookup the UIDs of a key by fingerprint. Ideally with dynamic fetching
> from a keyserver. Not sure if that's feasible on quantz or not.
>
> Alternatively, we could / should use some existing database (UDD? LDAP?)

I guess we should just use a local copy of the keyring via rsync:

http://keyring.debian.org/

I guess we need historical data too, since people have left Debian and
the plan was to regenerate stuff for old mails?

Often the keyring will be out-of-date, so we also need to pull from
the keyservers.

> Well, how do you like this fixed?

How about "sponsored by someone" or "unknown sponsor"?

> I primarily wanted to know *who* sponsored a package, i.e. who signed. I
> don't care much if the signature is valid or not (at least not on PTS).

The fact that the package was sponsored is interesting info, no matter
who was the sponsor.

> Please keep in mind that i.e. a missing public key is neither the
> package maintainers nor the uploaders fault. Thus a warning about that
> doesn't belong on PTS, IMO.

I don't think we need a warning, just to say the package was sponsored.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise