Russ Allbery wrote: > Thomas Viehmann <[EMAIL PROTECTED]> writes: >> Russ Allbery wrote:
>>> Assuming the e-mail address on keys is mailable is also a bit dodgy, >>> and which of the multiple identities on a key would one use? >> The one that is stored associated to the account (DM or ldap and @d.o). > I suppose that most of the time you'll get lucky and one of the key uids > will match LDAP, but you still lose on DMs. And it's certainly not > required that one of the key uids matches anything in LDAP. I, on the contrary suppose that the developer LDAP database could, in fact, be used in the same fashion as it is by devotee, who-uploads, probably dak somewhere else etc. to map key fingerprints to Debian accounts. Add @debian.org and you get an email address (let's not care about people disabling it). The DMs are assigned UIDs that look, after some very mild modification (s/^dm://), eeriely like email addresses. So indeed, >> It's not that hard actually, after all, it has already been checked that >> the signature is from a known uploader. despite your claim of > By checking against a keyring, which still doesn't tell you which uid to > use for contact information. Remember, when the parsing of *.changes > failed, you don't have any of the metadata for the package, since you > can't trust the results of a failed parse. which I still don't quite follow if the parse error is of a nature such that it is completely unrelated to the information "^Changed-By: (.*)". Kind regards T. -- Thomas Viehmann, http://thomas.viehmann.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
