On Sun, Mar 04, 2018 at 08:02:35PM +0100, Ximin Luo wrote:

> For security, I set a short validity period on my key and renew this
> every year by repeatedly extending the expiry date. However I keep
> forgetting to send the key to keyring.debian.org, and it's the second
> time this has happened. Since the keyring-maint team usually updates
> debian-keyring once a month, it means I can't do any uploads for a
> month, which is pretty inconvenient.

We've discussed this internally in the past (we have scripts/chk_expiry
already which probably needs a bit of cleanup for gpg2) and never come
up with a solution that we actually rolled out. I have a few unanswered
questions about doing such a thing:

*) What email address do we email from? The keyring-maint role address?
   Something else where we can just drop the bounces?

*) Which email address do we notify about the key expiry? The primary
   UID (not always well specified)? All UIDs? The @debian.org address
   associated with the key (where available, doesn't work for DDs)?

*) How often do we email? Both in terms of how often do we run the
   checks, and how often do we alter someone about an upcoming expiry.
   Should it be something we do from a regular cron job, or something
   done after a keyring update?

*) Why is it keyring-maint's responsibility to manage key expiry
   notifications for people?

*) [Related, but a one off]: How do we handle long expired keys? There
   are keys that have been expired for nearly 3 years. Is there a point
   where we should submit them to MIA? If we're sending notifications
   perhaps there's an MIA notification as part of the same script?

J.

-- 
Web [     Life's dangerous enough without mines in the garden.     ]
site: https:// [                                          ]      Made by
www.earth.li/~noodles/  [                      ]         HuggieTag 0.0.24

Reply via email to