Russ Allbery wrote:
> Assuming the e-mail address on keys is mailable is also a bit dodgy, and
> which of the multiple identities on a key would one use?
The one that is stored associated to the account (DM or ldap and @d.o). It's not
that hard actually, after all, it has already been checked that the signature is
from a known uploader.
When doing that, one could also introduce mailing the sponsor of an upload if
the address used as Changed-By does not match any of the key UIDs.

Kind regards

T.
--
Thomas Viehmann, http://thomas.viehmann.net/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Thomas Viehmann <tv@beamnet.de> writes:
> Russ Allbery wrote:

>> Assuming the e-mail address on keys is mailable is also a bit dodgy,
>> and which of the multiple identities on a key would one use?

> The one that is stored associated to the account (DM or ldap and @d.o).

I suppose that most of the time you'll get lucky and one of the key uids
will match LDAP, but you still lose on DMs. And it's certainly not
required that one of the key uids matches anything in LDAP.

> It's not that hard actually, after all, it has already been checked that
> the signature is from a known uploader.

By checking against a keyring, which still doesn't tell you which uid to
use for contact information. Remember, when the parsing of *.changes
failed, you don't have any of the metadata for the package, since you
can't trust the results of a failed parse.

--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Russ Allbery wrote:
> Thomas Viehmann <tv@beamnet.de> writes:
>> Russ Allbery wrote:

>>> Assuming the e-mail address on keys is mailable is also a bit dodgy,
>>> and which of the multiple identities on a key would one use?

>> The one that is stored associated to the account (DM or ldap and @d.o).

> I suppose that most of the time you'll get lucky and one of the key uids
> will match LDAP, but you still lose on DMs. And it's certainly not
> required that one of the key uids matches anything in LDAP.

I, on the contrary suppose that the developer LDAP database could, in fact, be
used in the same fashion as it is by devotee, who-uploads, probably dak
somewhere else etc. to map key fingerprints to Debian accounts. Add @debian.org
and you get an email address (let's not care about people disabling it). The DMs
are assigned UIDs that look, after some very mild modification (s/^dm://),
eeriely like email addresses.

So indeed,
>> It's not that hard actually, after all, it has already been checked that
>> the signature is from a known uploader.

despite your claim of

> By checking against a keyring, which still doesn't tell you which uid to
> use for contact information. Remember, when the parsing of *.changes
> failed, you don't have any of the metadata for the package, since you
> can't trust the results of a failed parse.

which I still don't quite follow if the parse error is of a nature such that it
is completely unrelated to the information "^Changed-By: (.*)".

Kind regards

T.
--
Thomas Viehmann, http://thomas.viehmann.net/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Thomas Viehmann <tv@beamnet.de> writes:
> Russ Allbery wrote:

>> I suppose that most of the time you'll get lucky and one of the key
>> uids will match LDAP, but you still lose on DMs. And it's certainly
>> not required that one of the key uids matches anything in LDAP.

> I, on the contrary suppose that the developer LDAP database could, in
> fact, be used in the same fashion as it is by devotee, who-uploads,
> probably dak somewhere else etc. to map key fingerprints to Debian
> accounts. Add @debian.org and you get an email address (let's not care
> about people disabling it). The DMs are assigned UIDs that look, after
> some very mild modification (s/^dm://), eeriely like email addresses.

Ah, I see what you're saying. Yeah, that would work. Obvious in
retrospect; I was just being dense.

--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 11293 March 1977, Thomas Viehmann wrote:

> somewhere else etc. to map key fingerprints to Debian accounts. Add @debian.org
> and you get an email address (let's not care about people disabling
> it).

ANY "solution" *HAS* to care about this, there is no way you can sanely
think that ftpmaster@debian.org wants to have the possibly high number
of mail rejects thanks to people disabling their debian.org mail.


And then - if you have any patches improving the mail handling, or dak
in general, talk to me and I put them into a bzr repo, ready for a
master to merge. Wouldnt be the first patch to merge in.
(Or talk to a master directly...)

--
bye Joerg
* libpng2 no libpng3 no why ? because no yes no yes no yes bullshit no yes
no yes no yes stop ? no when someday beep beep beep beep (Closes: #157011)
-- Christian Marillat <marillat@debian.org> Thu, 29 Aug 2002 16:41:58 +0200


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org