Ian Jackson <[email protected]> [17/Mar 11:41am GMT] wrote: > Sean Whitton writes ("Bug#1130653: tag2upload signing key updates and expiry > checks"): >> This makes me think that there is in fact already a system like this: >> the thing that copies our public key from tag2upload-manager-01 to >> ftp-master. > > Ah, but that's part of copying the key *out* from the place where we > edit it, to the place where it's deployed. > > If we want to spot failures, we need a seaprate thing that copies the > key *back* from the places it's deployed, to the place it's checked. > > That could perhaps be a separate instance of the DSA thing but I bet > the DSA thing knows enough about what it's trying to do that makes it > unsuitable. Anyway I'll see if I can chat to them on irc maybe. > > Also, ISTM that the DSA thing is probably already fairly reliable (and > may indeed have some monitoring) so we may not need a check that dak's > copy is updated, if we can prove that the copy in DSA's > centrally-propgated keyring is updated, for example by looking in /srv > on another host.
DSA's thing does have monitoring. So if we use it to do all our key deployments, we get monitoring for free and we're done. -- Sean Whitton
