On 03/14/2013 04:39 AM, Paul Wise wrote: > I guess we should just use a local copy of the keyring via rsync: > > http://keyring.debian.org/ > > I guess we need historical data too, since people have left Debian and > the plan was to regenerate stuff for old mails? > > Often the keyring will be out-of-date, so we also need to pull from > the keyservers. Okay. I'll check if and how to query keyservers (from GPGME or by invoking gpg). Pretty much everything else (rsync, gpg, initial keyring, etc..) needs to be put in place by an admin, I think. >> Well, how do you like this fixed? > > How about "sponsored by someone" or "unknown sponsor"? For example for the monotone package, I made it say: [2012-05-10] Accepted 1.0-6 in unstable (low) (Markus Wanner - signed by: Ludovic Brenta) (The subject being a link to the mail, "Markus Wanner" and "Ludovic Brenta" now linking to the respective q.d.o/developer.php page.) As these are plain mails that could have any content, I was hesitating speaking of sponsorship. I think "signed by" is clear enough. Or are you saying all signatures of mails PTS parses are for sponsored packages? >> I primarily wanted to know *who* sponsored a package, i.e. who signed. I >> don't care much if the signature is valid or not (at least not on PTS). > > The fact that the package was sponsored is interesting info, no matter > who was the sponsor. Sure. That's pretty much how I tried to implement things: even if the key or signature are expired or such, this displays the signer of the message - thereby providing the "was sponsored" info. Thinking about it, I think there may be team-maintained packages where ChangedBy is different from the signer, but both being DDs. Would you still call that sponsorship? However, if we don't have the pubkey, we cannot tell whose pubkey it is. Thus, we cannot tell whether the author (ChangedBy) himself or a different sponsor signed the mail. The current patch doesn't warn about that situation, but simply displays the news as if it was signed by the sender. As that's the most frequent case, I think it's a safe fall-back. As these scripts seem to be called from cron, does a simple `print "WARNING...` do the trick of notifying the admin about a missing public key? (Or failure to retrieve from the keyserver or some such.) > I don't think we need a warning, just to say the package was sponsored. Good, we are on the same page. Regards Markus Wanner
Attachment:
signature.asc
Description: OpenPGP digital signature