Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
Thanks for the ping! This is very much appreciated. Best, _g.
Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
Thanks for the ping! Last time I didn't notice my key was about to expire and as a result a few uploads of mine got delayed by the key refresh in the keyring. Cheers, -- Samuel Henrique
Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
> (replace user with the debian ID) > $ finger user/k...@db.debian.org | gpg --list-options show-keyring 2>/dev/null It was my understanding this is the confirmation the key had made it to the keyring package. I was hoping to confirm the key had been successfully received, and then later rolled out. Sincerely, -Alex
Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
> The only thing I may suggest is > perhaps mention how to verify that the keyring.debian.org server > received the update. It seems that doing --recv-keys a few minutes > later (but not immediately!) will show the updated key, with the new > expiry. As I commented on https://salsa.debian.org/debian-keyring/website/-/merge_requests/4 Although the updated key can be confirmed by --recv-keys, it still not be effective yet, I guess. The final confirmation is mentioned on wiki: - https://wiki.debian.org/DebianKeyring (replace user with the debian ID) $ finger user/k...@db.debian.org | gpg --list-options show-keyring 2>/dev/null Cheers, -- Roger Shimizu, GMT +9 Tokyo PGP/GPG: 4096R/6C6ACD6417B3ACB1
Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
Le jeu. 22 oct. 2020 à 16:48, Felix Lechner a écrit : > Hi Jérémy > > On Thu, Oct 22, 2020 at 1:33 AM Jérémy Lal wrote: > > > > Maybe the reminder is a bit early: > > The bug suggested sending out monthly reminders, two months out. That > way people get two reminders. Perhaps it should be configurable in > db.debian.org. How long do you usually extend your key? Is it just a > year? Thank you! > Yes, just a year every year. I suppose a one-month reminder is long enough for vacations, and some days before is good enough to catch up if the first was missed. Longer delays might just give the same result: forgetting to do it at the right time. Jérémy
Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
Hi Jérémy On Thu, Oct 22, 2020 at 1:33 AM Jérémy Lal wrote: > > Maybe the reminder is a bit early: The bug suggested sending out monthly reminders, two months out. That way people get two reminders. Perhaps it should be configurable in db.debian.org. How long do you usually extend your key? Is it just a year? Thank you! Kind regards Felix Lechner
Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
Package: debian-keyring Followup-For: Bug #892058 A really great service, as my key often times out. Maybe the reminder is a bit early: - key expires on 24th dec - last chance is 24th nov - got reminder 22th oct Jérémy
Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
Hi Gunnar, > I will add this, but not to this script Here is the script I used for today's reminders. It is attached just for the record. I am still working on automating the uid selection, the sending of messages, and also calculating the subkey expirations. Kind regards Felix Lechner upcoming-expirations.xz Description: application/xz
Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
David Prévot dijo [Wed, Sep 23, 2020 at 10:49:33AM -0400]: > > And we would have everything in place to notify people whose key is > > to expire soon. > > Wonderful, thank you for working into making (part of) our lives easier! :-] I will add this, but not to this script (thinking during breakfast... The script I modified is part of our test suite, and it'd be wrong to mark soon-to-expire keys as failing). But I think I will modify in this same way the mail_expired script - making it not consume from the no-expired test, but asking directly from gpg. I also just (!) took notice of this bug report and its history; although we informally discussed this a long time ago, I'd like to give _my_ answer to Jonathan's questions¹. Note that they are _my_ take on that, just as ⅓ of the relevant team (where Jonathan is another ⅓). ¹ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892058#10 - What email to notify from? I think it can be keyring-maint@d.o. Why not? It's not going to be so massive, and if we get bounces... Well, they will not be hundreds of them. - Which mail to notify? I think just the @debian.org address should suffice. Yes, we know of some DDs that disable this address, but I don't think they are significative enough for us to even notice. - How often? I often do a mail every time I push out a keyring (which is, approximately, one out of three months). I think we could do this run on a monthly basis, notifying people that are to expire in two or three months time. - Why is it keyring-maint's responsibility? It is not, but it is a service we can perform, much like any other person can. It just happens that we have all of the data in our hands. - How long to care for long expired keys? I often mail everybody with an expired key, but it'd be quite easy to have some different mails -- Could be along the lines of "Key about to expire, please act now" (-2 to 0 months), "Key recently expired" (0 to 3 months), "Do note your key has expired" (3 to 12 months), "Key long expired" (12 to 24 months), and... "Radio silence, please call in MIA". signature.asc Description: PGP signature
Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
On Wed, Sep 23, 2020 at 08:26:05AM -0500, Gunnar Wolf wrote: […Technical stuff…] > And we would have everything in place to notify people whose key is > to expire soon. Wonderful, thank you for working into making (part of) our lives easier! Regards David signature.asc Description: PGP signature
Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
Let me think out loud to this bug report...
Jonas Smedegaard dijo [Wed, Sep 23, 2020 at 08:43:03AM +0200]:
> I would certainly appreciate Debian running this kind of service.
>
> From a recipient PoV I would find it most sensible to receive such
> notification from the keyring maintainers, but I recognize that it would
> be an additional task that technically need not be tied to that same
> team.
>
> Thanks to Ximin for for the initiative, and to Felix for running a test
> service from riseup.net: I've been bitten by this in the past, and was
> happy to receive a warning from Felix.
I too think this would be an important addition, but have been unable
to put the time into this; some of you might have noticed that
starting some months ago, while pushing a keyring update, I send a
mail to everybody whose key is _already_ expired; doing this is quite
easy:
/---
https://salsa.debian.org/debian-keyring/keyring/-/blob/master/t/no-expired.t
| #!/bin/sh
| # Looks for expired keys in our active keyrings
| set -e
|
| find_expired () {
| k=$1
| gpg --no-options --no-auto-check-trustdb --no-default-keyring \
| --keyring "./output/keyrings/$k" --list-keys --with-colons \
| | grep -a '^pub' \
| | awk -F: -v keyring=$1 \
| '$2 == "e" {print keyring ":\t0x" $5 " expired on "
strftime("%F %T", $7) " (" $10 ")"}'
| }
|
| fail=0
| for keyring in debian-keyring.gpg debian-maintainers.gpg \
| debian-nonupload.gpg; do
| find_expired $keyring
| done
|
| exit $fail
I suck at awk, so I would rephrase the last command in the pipeline
with:
ruby -r date -n -e 'flds=$_.split(/:/); next unless flds[1] == "e"; \
exp=Date.strptime(flds[6],"%s"); puts "%s: %s expired on %s" % \
[ENV["k"], flds[4], exp.strftime("%Y-%m-%d")]'
That (plus exporting k in the shell to the environment) would leave it
functionally equivalent to what we currently have, and would allow us
to replace it with:
ruby -r date -n -e 'flds=$_.split(/:/); today = Date.today; \
onemonth = today+30; exp=Date.strptime(flds[6],"%s") rescue nil; \
next if exp.nil? or exp >= onemonth; \
puts "%s: %s expired on %s" % [ENV["k"], flds[4], \
exp.strftime("%Y-%m-%d")] if exp <= today; \
puts "%s: %s will soon expire (%s)" % [ENV["k"], flds[4], \
exp.strftime("%Y-%m-%d")] if exp > today and exp <= onemonth'
That gives us a nice list that presents expired and soon-to-expire
keys -- Including information potentially useful today, of course!
debian-keyring.gpg: 049B6D88E31734DB expired on 2019-08-17
debian-keyring.gpg: 13EC43EEB9AC8C43 will soon expire (2020-10-02)
debian-keyring.gpg: 17B1CA7D64089528 expired on 2020-06-12
debian-keyring.gpg: 1CFC22F3363DEAE3 expired on 2020-06-17
(...)
...But I have to leave the topic as it is right now, as my family
calls me. From here, this script can be easily modified:
https://salsa.debian.org/debian-keyring/keyring/-/blob/master/scripts/mail_expired.rb
And we would have everything in place to notify people whose key is
to expire soon.
So, I will try to add this later today (but other keyring-maints, your
input is much appreciated before that!), or falining that... Soon™.
signature.asc
Description: PGP signature
Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
I would certainly appreciate Debian running this kind of service. >From a recipient PoV I would find it most sensible to receive such notification from the keyring maintainers, but I recognize that it would be an additional task that technically need not be tied to that same team. Thanks to Ximin for for the initiative, and to Felix for running a test service from riseup.net: I've been bitten by this in the past, and was happy to receive a warning from Felix. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
I too would like to have such a service available, having let my key expire again recently. I've sometimes set up a local cron job to nudge me by checking the installed debian-keyring package, but that package doesn't always get updated (and I occasionally hear it's been talked of not including a package at all?). I kind of liked not having to have network access (other than normal package updating processes). Maybe I could run a cron job polling keyring.debian.org directly on some debian infrastructure instead (any suggestions where?)... but if I'm doing this for myself, others surely could use it too; a shared cron job that people could call to opt in to might be nice, and then they could control the email address to send and how often they want the reminders themselves... live well, vagrant signature.asc Description: PGP signature
Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
Hello! I am also in favor of this idea. I renewed my key a couple of weeks before it expired, but I should have renewed it 2 months before. I did not factor in the delay in the keyring releases (now already 6+ weeks since last release). Getting an automated reminder would indeed have been helpful.
Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
Hello, On Mon, 5 Mar 2018 10:04:22 + Jonathan McDowell wrote: > On Sun, Mar 04, 2018 at 08:02:35PM +0100, Ximin Luo wrote: > > > For security, I set a short validity period on my key and renew this > > every year by repeatedly extending the expiry date. However I keep > > forgetting to send the key to keyring.debian.org, and it's the second > > time this has happened. Since the keyring-maint team usually updates > > debian-keyring once a month, it means I can't do any uploads for a > > month, which is pretty inconvenient. I would like to second this request because I recently made the same mistake. Although I had uploaded my public key to the keyserver network months ago, it was never synced with keyring.debian.org. I naively assumed it would happen automatically. I followed the instructions on https://keyring.debian.org/ and now I'm waiting for the keypush. In the meantime I cannot upload any packages. > We've discussed this internally in the past (we have scripts/chk_expiry > already which probably needs a bit of cleanup for gpg2) and never come > up with a solution that we actually rolled out. I have a few unanswered > questions about doing such a thing: > > *) What email address do we email from? The keyring-maint role address? >Something else where we can just drop the bounces? Either this one or from a completely new address which is only meant for sending out those emails but is not supposed to receive messages. > *) Which email address do we notify about the key expiry? The primary >UID (not always well specified)? All UIDs? The @debian.org address >associated with the key (where available, doesn't work for DDs)? In doubt I would suggest to notify all email addresses / UIDs, just to be sure. > *) How often do we email? Both in terms of how often do we run the >checks, and how often do we alter someone about an upcoming expiry. >Should it be something we do from a regular cron job, or something >done after a keyring update? Once per week, three months before the key will expire. Both, a regular cron job or after a keyring update, would work I guess as long as the keyring push happens approximately once per month. This will give active people enough time to react. > *) Why is it keyring-maint's responsibility to manage key expiry >notifications for people? It isn't but I believe you would help to improve this service. Some people like me didn't know that updated public keys are not automatically synced, others forget it completely. In any case an automated email would help to prevent those situations, which could mean that DM/DDs are unable to upload for a month or longer. > *) [Related, but a one off]: How do we handle long expired keys? There >are keys that have been expired for nearly 3 years. Is there a point >where we should submit them to MIA? If we're sending notifications >perhaps there's an MIA notification as part of the same script? If they have been expired for three years, it is very likely that the developer in question is MIA. I believe it would be helpful to inform the MIA team about it and ask them to check the situation. This could/should? be handled differently. Regards, Markus signature.asc Description: OpenPGP digital signature
Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
On Sun, Mar 04, 2018 at 08:02:35PM +0100, Ximin Luo wrote: > For security, I set a short validity period on my key and renew this > every year by repeatedly extending the expiry date. However I keep > forgetting to send the key to keyring.debian.org, and it's the second > time this has happened. Since the keyring-maint team usually updates > debian-keyring once a month, it means I can't do any uploads for a > month, which is pretty inconvenient. We've discussed this internally in the past (we have scripts/chk_expiry already which probably needs a bit of cleanup for gpg2) and never come up with a solution that we actually rolled out. I have a few unanswered questions about doing such a thing: *) What email address do we email from? The keyring-maint role address? Something else where we can just drop the bounces? *) Which email address do we notify about the key expiry? The primary UID (not always well specified)? All UIDs? The @debian.org address associated with the key (where available, doesn't work for DDs)? *) How often do we email? Both in terms of how often do we run the checks, and how often do we alter someone about an upcoming expiry. Should it be something we do from a regular cron job, or something done after a keyring update? *) Why is it keyring-maint's responsibility to manage key expiry notifications for people? *) [Related, but a one off]: How do we handle long expired keys? There are keys that have been expired for nearly 3 years. Is there a point where we should submit them to MIA? If we're sending notifications perhaps there's an MIA notification as part of the same script? J. -- Web [ Life's dangerous enough without mines in the garden. ] site: https:// [ ] Made by www.earth.li/~noodles/ [ ] HuggieTag 0.0.24
Bug#892058: debian-keyring: please automatically send reminder emails to people whose keys will expire soon
Package: debian-keyring
Version: 2018.01.24
Severity: wishlist
Tags: patch
Dear Maintainer,
For security, I set a short validity period on my key and renew this every year
by repeatedly extending the expiry date. However I keep forgetting to send the
key to keyring.debian.org, and it's the second time this has happened. Since
the keyring-maint team usually updates debian-keyring once a month, it means I
can't do any uploads for a month, which is pretty inconvenient.
I've attached a script that prints the soon-to-expire keys from
debian-keyring.gpg.
You can run it like this:
$ ./dd-expiry "2 months" now
5394479DD3524C51 1520360331 2018-03-06T19:18:51+01:00
88237A6A53AB1B2E 1521137128 2018-03-15T19:05:28+01:00
2FD8BEDAC020EED1 1521756999 2018-03-22T23:16:39+01:00
FF55C8F4DAE92422 1522357905 2018-03-29T23:11:45+02:00
6C8F74AE87700B7E 1522940258 2018-04-05T16:57:38+02:00
9AF46B3025771B31 1523261856 2018-04-09T10:17:36+02:00
8CBF9A322861A790 1523450637 2018-04-11T14:43:57+02:00
D04BA3A00125D5C0 1523561253 2018-04-12T21:27:33+02:00
792152527B75921E 1524162229 2018-04-19T20:23:49+02:00
AB645F406286A7D0 1524227017 2018-04-20T14:23:37+02:00
965522B9D49AE731 1524351803 2018-04-22T01:03:23+02:00
9EDCC991D9AB457E 1524389562 2018-04-22T11:32:42+02:00
025AFE95AC9DF31B 1524721803 2018-04-26T07:50:03+02:00
0ABA650372FD9571 1524748809 2018-04-26T15:20:09+02:00
003A1A2DAA41085F 1525086689 2018-04-30T13:11:29+02:00
3F9219A67F36C68B 1525192781 2018-05-01T18:39:41+02:00
39091E8123CE1C09 1525312214 2018-05-03T03:50:14+02:00
It would be good if you could hook up the output of this script to an automatic
email reminder script, that emails those people to renew their keys.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (300, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
debian-keyring depends on no packages.
Versions of packages debian-keyring recommends:
ii gnupg 2.2.5-1
debian-keyring suggests no packages.
-- no debconf information
#!/bin/sh
set -e
later=$(date -d "${1:-2 months}" +%s)
earlier=$(date -d "${2:-@0}" +%s)
now=$(date +%s)
gpg 2>/dev/null \
--no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg \
--with-colons --fixed-list-mode --keyid-format=long \
--list-keys |
grep ^pub |
cut -d: -f5,7 |
tr : ' ' | {
while read key exp; do
if [ -n "$exp" -a "0$exp" -lt "$later" -a "0$exp" -gt "$earlier" ]; then
echo $key $exp $(date -d "@$exp" -Is);
fi;
done
if [ "$earlier" -lt "$now" ]; then
echo "--now--- $now $(date -Is)";
fi
} |
sort -k2
