Sean Whitton writes ("Bug#1130653: tag2upload signing key updates and expiry
checks"):
> This makes me think that there is in fact already a system like this:
> the thing that copies our public key from tag2upload-manager-01 to
> ftp-master.
Ah, but that's part of copying the key *out* from the place where we
edit it, to the place where it's deployed.
If we want to spot failures, we need a seaprate thing that copies the
key *back* from the places it's deployed, to the place it's checked.
That could perhaps be a separate instance of the DSA thing but I bet
the DSA thing knows enough about what it's trying to do that makes it
unsuitable. Anyway I'll see if I can chat to them on irc maybe.
Also, ISTM that the DSA thing is probably already fairly reliable (and
may indeed have some monitoring) so we may not need a check that dak's
copy is updated, if we can prove that the copy in DSA's
centrally-propgated keyring is updated, for example by looking in /srv
on another host.
Ian.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
