Enrico Zini writes ("Re: State of the debian keyring"): > ...which reminds me of http://www.enricozini.org/2008/tips/audit-uploads/ > which was a prototype of creating an audit log of key usage in debian. ... > This means hooking into any place where a signature verification or a > decryption actually happens in Debian: I can think of uploads, > db.debian.org, voting, keyring requests, RT tickets filed, emails > received by lists or the BTS: are there more?
My (not-yet-deployed) dgit push receiver (to support, amongst other things, dm uploads), which depends on tags signed by dm pgp keys. ssh push to alioth. (Sorry to add a very hairy yak to your plan.) dget. > So I can't just open vim and write the code: auditing key usage in > package uploads requires someone who knows dak inside out, and can > commit to maintaining notification triggers in all obscure corners where > keys are used, now and in future updates of the ftp-master toolchain. > Same goes for any other bit of Debian. Perhaps we could provide a patched version of gpg[v] which phones home to report the verification. > The starting point for this work is probably this, then: is it just me, > feeling that we have a problem here, or am I actually in the good > company of people who can do their bit? I think this would be nice, and having a partial audit would be better than no audit. Ian. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/21263.12362.656891.831...@chiark.greenend.org.uk