Bug#985875: DDPO: watch should warn about expired upstream signing keys

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#985875: DDPO: watch should warn about expired upstream signing keys
From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date: Thu, 25 Mar 2021 09:42:15 +0100
Message-id: <[🔎] 1616528701@msgid.manchmal.in-ulm.de>
Reply-to: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>, 985875@bugs.debian.org

Package: qa.debian.org
Severity: wishlist

Hello,

the upstream signing key debian/upstream/signing-key.asc might have
expired. It seems the process that leads to the DDPO dashboard happily
ignores such a situation and continues operation.

While this shouldn't do harm in the rare case of hijacking as the
package maintainer should be careful in the work anyway, it was helpful
if the DDPO page could place an extra warning like "Signature validation
failed" or "Signing key expired" here. Optionally even "... will expire
soon".

Example: libgpg-error (filed as #985793)
<https://qa.debian.org/developer.php?login=pkg-gnupg-maint%40lists.alioth.debian.org>

Related lintian bug: #964971

    Christoph

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Bug#985404: qa.debian.org: Packages overview VCS field doesn't consider a debian/experimental branch
Previous by thread: Bug#985404: qa.debian.org: Packages overview VCS field doesn't consider a debian/experimental branch
Index(es):
- Date
- Thread