On Thu, Mar 14, 2013 at 3:37 AM, Markus Wanner wrote: > Keep in mind that the public keys must also be available, so we can > lookup the UIDs of a key by fingerprint. Ideally with dynamic fetching > from a keyserver. Not sure if that's feasible on quantz or not. > > Alternatively, we could / should use some existing database (UDD? LDAP?)
I guess we should just use a local copy of the keyring via rsync: http://keyring.debian.org/ I guess we need historical data too, since people have left Debian and the plan was to regenerate stuff for old mails? Often the keyring will be out-of-date, so we also need to pull from the keyservers. > Well, how do you like this fixed? How about "sponsored by someone" or "unknown sponsor"? > I primarily wanted to know *who* sponsored a package, i.e. who signed. I > don't care much if the signature is valid or not (at least not on PTS). The fact that the package was sponsored is interesting info, no matter who was the sponsor. > Please keep in mind that i.e. a missing public key is neither the > package maintainers nor the uploaders fault. Thus a warning about that > doesn't belong on PTS, IMO. I don't think we need a warning, just to say the package was sponsored. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6GssiUBJBOELK4POw9Jwm=nW=ctzyu85uywvcornss...@mail.gmail.com
