Hi! On Wed, 2025-04-23 at 21:23:20 +0200, Philipp Kern wrote: > On 2025-04-23 19:17, Gunnar Wolf wrote: > > Adam D. Barratt dijo [Wed, Apr 23, 2025 at 05:13:07PM +0100]: > > > > Ah, then this would seem to be safe to deploy now, and the file types > > > > problem could be fixed later on. I have had several changes for > > > > userdir-ldap pending submission, but not this one about > > > > shutil.copy(), thanks. Will see how to improve that, and then send > > > > patches for userdir-ldap to DSA (I think I already sent out patches > > > > for userdir-ldap-cgi). > > > > > > "Probably". If it doesn't work for some reason, however, the effects > > > could include things such as dak no longer accepting any uploads from > > > DDs because it can no longer find their public keys. > > > > > > I'd therefore be tempted to disable both the "pull" and > > > "push" sides on > > > db.d.o shortly before the keyring side is deployed, and test them by > > > hand afterwards. > > > > > > I can't personally guarantee being around at any particular time this > > > week though I'm afraid. > > > > ..It makes sense to make sure we have a DSA person available to > > fix things > > in case it all bursts up in flames. > > > > I was planning on doing this push this Friday, 2025.04.25, in > > the morning > > (say, anywhere between 09:00–14:00 GMT-6). Can a DSA member be > > available in > > case this messes up something? > > > > Otherwise, I think it's better to listen to Adam's instinct and > > delay the > > move. It does not necessarily have to be aligned with a "full" keyring > > push. > > Can we push .gpg and .pgp files with identical content for a while? > That'd decouple necessary realtime interactions. I realize that this > does not fix the fact that we might break stuff once we replace .gpg > files with a symlink - but it also opens up the opportunity that we > can also replace the references instead.
I was thinking something along those lines (as in decouple the archive switch from the infra switch), as my current main interest right now would be for the changes to hit Debian trixie, via the .deb in the archive. But it's true that just duplicating the files might be safer, and as you mention then we can just simply flip the infra users, and then later on whether it's a symlink or not will not matter as much I guess. I'll try to come up with an updated patch for debian-keyring trying to decouple the package generation from the infra syncing, hopefully by tomorrow (Thu), or maybe later today. Thanks, Guillem
