On Wed, 2025-04-23 at 02:24 +0200, Guillem Jover wrote: > Hi! > > On Mon, 2025-04-21 at 22:00:09 +0100, Adam D. Barratt wrote: > [...] > > userdir-ldap maintains its own list of keyrings which are deployed > > to those hosts requesting them (e.g. ftp-master). While the > > keyrings are copied from db.d.o to each host via rsync, the > > preparation of the rsync source area uses Python's shutil.copy(), > > so AFAICS would follow the new symlinks and continue to deploy > > *.gpg to var/lib/misc/thishost/ on relevant hosts as real files. > > That should mean that things would continue to work, but does mean > > that the rename would *not* propagate to client hosts. > > Ah, then this would seem to be safe to deploy now, and the file types > problem could be fixed later on. I have had several changes for > userdir-ldap pending submission, but not this one about > shutil.copy(), thanks. Will see how to improve that, and then send > patches for userdir-ldap to DSA (I think I already sent out patches > for userdir-ldap-cgi).
"Probably". If it doesn't work for some reason, however, the effects could include things such as dak no longer accepting any uploads from DDs because it can no longer find their public keys. I'd therefore be tempted to disable both the "pull" and "push" sides on db.d.o shortly before the keyring side is deployed, and test them by hand afterwards. I can't personally guarantee being around at any particular time this week though I'm afraid. > I think though, the other related patch I sent for dsa-puppet, might > self-heal the symlinks? Unless I missed a patch, I think it only adds symlinks in the new names, to the existing .gpg files? If so then it still relies on the files shipped by ud-ldap being named .gpg. > Also, (I'm not sure whether I mentioned this before, besides Gunnar), > something I noticed while trying to make sense how this all works was > that: > > * At least on usper.debian.org, the > /srv/keyring.debian.org/keyrings/ directory contains a non- > symlink > debian-maintainer.gpg file (missing final «s»). I think that was me fat-fingering something when testing a while back; removed. > * On keyring.debian.org there's an extra-keys.pgp leftover(?) file, > perhaps as part of some old transition? That I'd have to defer to keyring-maint on. Regards, Adam
