Hello, On Mon, 5 Mar 2018 10:04:22 +0000 Jonathan McDowell <nood...@earth.li> wrote: > On Sun, Mar 04, 2018 at 08:02:35PM +0100, Ximin Luo wrote: > > > For security, I set a short validity period on my key and renew this > > every year by repeatedly extending the expiry date. However I keep > > forgetting to send the key to keyring.debian.org, and it's the second > > time this has happened. Since the keyring-maint team usually updates > > debian-keyring once a month, it means I can't do any uploads for a > > month, which is pretty inconvenient.
I would like to second this request because I recently made the same mistake. Although I had uploaded my public key to the keyserver network months ago, it was never synced with keyring.debian.org. I naively assumed it would happen automatically. I followed the instructions on https://keyring.debian.org/ and now I'm waiting for the keypush. In the meantime I cannot upload any packages. > We've discussed this internally in the past (we have scripts/chk_expiry > already which probably needs a bit of cleanup for gpg2) and never come > up with a solution that we actually rolled out. I have a few unanswered > questions about doing such a thing: > > *) What email address do we email from? The keyring-maint role address? > Something else where we can just drop the bounces? Either this one or from a completely new address which is only meant for sending out those emails but is not supposed to receive messages. > *) Which email address do we notify about the key expiry? The primary > UID (not always well specified)? All UIDs? The @debian.org address > associated with the key (where available, doesn't work for DDs)? In doubt I would suggest to notify all email addresses / UIDs, just to be sure. > *) How often do we email? Both in terms of how often do we run the > checks, and how often do we alter someone about an upcoming expiry. > Should it be something we do from a regular cron job, or something > done after a keyring update? Once per week, three months before the key will expire. Both, a regular cron job or after a keyring update, would work I guess as long as the keyring push happens approximately once per month. This will give active people enough time to react. > *) Why is it keyring-maint's responsibility to manage key expiry > notifications for people? It isn't but I believe you would help to improve this service. Some people like me didn't know that updated public keys are not automatically synced, others forget it completely. In any case an automated email would help to prevent those situations, which could mean that DM/DDs are unable to upload for a month or longer. > *) [Related, but a one off]: How do we handle long expired keys? There > are keys that have been expired for nearly 3 years. Is there a point > where we should submit them to MIA? If we're sending notifications > perhaps there's an MIA notification as part of the same script? If they have been expired for three years, it is very likely that the developer in question is MIA. I believe it would be helpful to inform the MIA team about it and ask them to check the situation. This could/should? be handled differently. Regards, Markus
signature.asc
Description: OpenPGP digital signature