Sean Whitton writes ("Bug#1130653: tag2upload signing key updates and expiry
checks"):
> Right. I am keen not to introduce facilities that a potential future
> maintainer of t2u in Debian will need to learn. We should use existing
> stuff as much as we possibly can.
Yes.
I spoke to adsb on irc. He pointed me at various existing things that
DSA have. tl;dr: they do have monitoring for the one key that they
own, the archive key. Other keys in /serv/keyrings are managed by
their respective owners and there is no central monitoring.
They do have this script for checking key expiry
https://salsa.debian.org/dsa-team/mirror/dsa-nagios/-/blob/4913612
e3b5cffc4132f8d6f67fd66dcd4c8a04a/dsa-nagios-checks/checks/dsa-check-gpg-expiry
which is a considerbaly more sophisticated version of our
t2usm:maint/check-oracle-key-expiry.
I propose the following:
* New cron job on manager to scrape keyid from wiki.
* New cron job on manager to fish key out of debia-tag2upload-keyring.deb
in some or all (??) of sid, testing, stable, stable-bpo, oldstable
* New cron job on builder to copy key out of builder image to manager.
* New cron job on oracle to copy live public key to manager.
* Soup up existing checking cron job on manager to check consitency of
(a) all of the above
(b) copy in /srv/keyrings
* Use DSA's dsa-check-gpg-expiry script rather tha our own open-coded
implementation (but NB that DSA are going to move that script to a
different location because they've switched from nagios to puppet
so we may need to wait for that to happen)
Ian.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
