Enrico Zini writes ("Re: State of the debian keyring"):
> ...which reminds me of http://www.enricozini.org/2008/tips/audit-uploads/
> which was a prototype of creating an audit log of key usage in debian.
...
> This means hooking into any place where a signature verification or a
> decryption actually happens in Debian: I can think of uploads,
> db.debian.org, voting, keyring requests, RT tickets filed, emails
> received by lists or the BTS: are there more?My (not-yet-deployed) dgit push receiver (to support, amongst other things, dm uploads), which depends on tags signed by dm pgp keys. ssh push to alioth. (Sorry to add a very hairy yak to your plan.) dget. > So I can't just open vim and write the code: auditing key usage in > package uploads requires someone who knows dak inside out, and can > commit to maintaining notification triggers in all obscure corners where > keys are used, now and in future updates of the ftp-master toolchain. > Same goes for any other bit of Debian. Perhaps we could provide a patched version of gpg[v] which phones home to report the verification. > The starting point for this work is probably this, then: is it just me, > feeling that we have a problem here, or am I actually in the good > company of people who can do their bit? I think this would be nice, and having a partial audit would be better than no audit. Ian. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
