Paul,
On 03/15/2013 03:02 AM, Paul Wise wrote:
> I would have done this:
>
> [2012-05-10] Accepted 1.0-6 in unstable (low) (Markus Wanner, signed
> by Ludovic Brenta)
Looks better, agreed.
> [2012-05-10] Accepted 1.0-6 in unstable (low) (Markus Wanner, signed
> by someone else)
That's utterly misleading in case "someone else" is "Markus Wanner".
The point is, the existence of a signature is not an indication of
sponsorship. We really need to have the pubkey of the signer to be able
to distinguish between proper self-signed and sponsored uploads.
What we can do is distinguish three cases, i.e. (just to stick with the
example above):
In case we have the pubkey and its UID matches ChangedBy:
" ..in unstable (low) (Markus Wanner)"
(This would imply a signature of myself, i.e. no sponsorship.)
In case we have the pubkey and its UID does not match ChangedBy:
" ..in unstable (low) (Markus Wanner, signed by Ludovic Brenta)"
In case we do not know the pubkey:
" ..in unstable (low) (Markus Wanner, unknown signature)"
(This doesn't imply anything about sponsorship. It could still
be a valid signature of mine, or of a sponsor, PTS just cannot
tell.)
> It could be sponsorship or co-maintainence, maybe the signer made some
> changes and put their name in the changelog too.
Exactly, so let's keep with "signed by" rather than trying to identify
what exactly we call sponsorship and what not.
>> As these scripts seem to be called from cron, does a simple `print
>> "WARNING...` do the trick of notifying the admin about a missing public
>> key? (Or failure to retrieve from the keyserver or some such.)
>
> That will notify the folks listed here:
>
> http://anonscm.debian.org/viewvc/qa/trunk/data/cronjobs/crontab.head?view=markup
Sounds like a notification on stderr about missing pubkeys could do the
trick.
Regards
Markus Wanner
Attachment:
signature.asc
Description: OpenPGP digital signature