On Thu, May 01, 2008 at 04:46:00PM -0400, Roberto C. Sánchez wrote:
> I am curious how you could craft an upload that would use a key
> (ostensibly not your own, since you would know what you are uploading
> anyway) where you could use some random DD's key to do the upload
> without an email going to that DD. It seems like you would need to
> forge the GPG signature.
Which seems, according to [1], one of the things the Enrico's monitor is
supposed to permit detecting. An interesting intended usage IMO.
The real point relevant to this mailing list is: are we interested in
hosting the service under some of the QA service we have or not? If not
we can let it go and, AFAIU, it can/will be hosted on ftp-master.d.o. If
we are interested on the other hand we can host it. Speaking for the
PTS side I don't think it would have any use there, as the PTS is mainly
source package based; moreover, at that granularity the PTS already has
the upload history and the corresponding RSS feed.
IMO it will be very interesting to have this integrated in DDPO, has it
is the one true Debian portal we have which is oriented toward a
maintainer.
Any other places we might benefit from this service?
Cheers.
[1]http://www.enricozini.org/2008/tips/audit-uploads.html
--
Stefano Zacchiroli -*- PhD in Computer Science ............... now what?
zack@{upsilon.cc,cs.unibo.it,debian.org} -<%>- http://upsilon.cc/zack/
(15:56:48) Zack: e la demo dema ? /\ All one has to do is hit the
(15:57:15) Bac: no, la demo scema \/ right keys at the right time
Attachment:
signature.asc
Description: Digital signature