Hi, On Sat, 2007-08-18 at 23:12 +0100, Neil Williams wrote: > dscverify relies on the keyring packaged in debian-keyring which has > not had an upload since 2005. dscverify therefore fails to verify new > DD's (like me) and wrongly verifies signatures of DD's who may have > resigned or otherwise had their key removed from the keyring. > > Isn't there a way for devscripts to sync the real Debian keyring in > order to run dscverify, maybe with an '--update' option to refresh the > local copy? > > As it stands, devscripts would be better off without dscverify because > the results of dscverify are simply untrustworthy.
There have been three further debian-keyring uploads since this bug was filed; whilst it may not be completely up-to-date, I'm not sure it's currently outdated enough to render its use "untrustworthy" (and by extension this report as "important"). The debian-keyring README does include details of how to update a local copy via rsync, although admittedly it's not as explicit as I thought. Assuming my memory of previous discussions on the subject is correct, the copy of the keyring accessible via rsync still isn't the "real" keyring in terms of what dak will accept - that's a local copy which is in turn synced with keyring.d.o. Regards, Adam -- To unsubscribe, send mail to [EMAIL PROTECTED]
