On Thu, May 01, 2008 at 04:46:00PM -0400, Roberto C. Sánchez wrote: > I am curious how you could craft an upload that would use a key > (ostensibly not your own, since you would know what you are uploading > anyway) where you could use some random DD's key to do the upload > without an email going to that DD. It seems like you would need to > forge the GPG signature.
Which seems, according to [1], one of the things the Enrico's monitor is supposed to permit detecting. An interesting intended usage IMO. The real point relevant to this mailing list is: are we interested in hosting the service under some of the QA service we have or not? If not we can let it go and, AFAIU, it can/will be hosted on ftp-master.d.o. If we are interested on the other hand we can host it. Speaking for the PTS side I don't think it would have any use there, as the PTS is mainly source package based; moreover, at that granularity the PTS already has the upload history and the corresponding RSS feed. IMO it will be very interesting to have this integrated in DDPO, has it is the one true Debian portal we have which is oriented toward a maintainer. Any other places we might benefit from this service? Cheers. [1]http://www.enricozini.org/2008/tips/audit-uploads.html -- Stefano Zacchiroli -*- PhD in Computer Science ............... now what? [EMAIL PROTECTED],cs.unibo.it,debian.org} -<%>- http://upsilon.cc/zack/ (15:56:48) Zack: e la demo dema ? /\ All one has to do is hit the (15:57:15) Bac: no, la demo scema \/ right keys at the right time
signature.asc
Description: Digital signature