Let me think out loud to this bug report... Jonas Smedegaard dijo [Wed, Sep 23, 2020 at 08:43:03AM +0200]: > I would certainly appreciate Debian running this kind of service. > > From a recipient PoV I would find it most sensible to receive such > notification from the keyring maintainers, but I recognize that it would > be an additional task that technically need not be tied to that same > team. > > Thanks to Ximin for for the initiative, and to Felix for running a test > service from riseup.net: I've been bitten by this in the past, and was > happy to receive a warning from Felix.
I too think this would be an important addition, but have been unable to put the time into this; some of you might have noticed that starting some months ago, while pushing a keyring update, I send a mail to everybody whose key is _already_ expired; doing this is quite easy: /------------------- https://salsa.debian.org/debian-keyring/keyring/-/blob/master/t/no-expired.t | #!/bin/sh | # Looks for expired keys in our active keyrings | set -e | | find_expired () { | k=$1 | gpg --no-options --no-auto-check-trustdb --no-default-keyring \ | --keyring "./output/keyrings/$k" --list-keys --with-colons \ | | grep -a '^pub' \ | | awk -F: -v keyring=$1 \ | '$2 == "e" {print keyring ":\t0x" $5 " expired on " strftime("%F %T", $7) " (" $10 ")"}' | } | | fail=0 | for keyring in debian-keyring.gpg debian-maintainers.gpg \ | debian-nonupload.gpg; do | find_expired $keyring | done | | exit $fail I suck at awk, so I would rephrase the last command in the pipeline with: ruby -r date -n -e 'flds=$_.split(/:/); next unless flds[1] == "e"; \ exp=Date.strptime(flds[6],"%s"); puts "%s: %s expired on %s" % \ [ENV["k"], flds[4], exp.strftime("%Y-%m-%d")]' That (plus exporting k in the shell to the environment) would leave it functionally equivalent to what we currently have, and would allow us to replace it with: ruby -r date -n -e 'flds=$_.split(/:/); today = Date.today; \ onemonth = today+30; exp=Date.strptime(flds[6],"%s") rescue nil; \ next if exp.nil? or exp >= onemonth; \ puts "%s: %s expired on %s" % [ENV["k"], flds[4], \ exp.strftime("%Y-%m-%d")] if exp <= today; \ puts "%s: %s will soon expire (%s)" % [ENV["k"], flds[4], \ exp.strftime("%Y-%m-%d")] if exp > today and exp <= onemonth' That gives us a nice list that presents expired and soon-to-expire keys -- Including information potentially useful today, of course! debian-keyring.gpg: 049B6D88E31734DB expired on 2019-08-17 debian-keyring.gpg: 13EC43EEB9AC8C43 will soon expire (2020-10-02) debian-keyring.gpg: 17B1CA7D64089528 expired on 2020-06-12 debian-keyring.gpg: 1CFC22F3363DEAE3 expired on 2020-06-17 (...) ...But I have to leave the topic as it is right now, as my family calls me. From here, this script can be easily modified: https://salsa.debian.org/debian-keyring/keyring/-/blob/master/scripts/mail_expired.rb And we would have everything in place to notify people whose key is to expire soon. So, I will try to add this later today (but other keyring-maints, your input is much appreciated before that!), or falining that... Soon™.
signature.asc
Description: PGP signature