On Thu, May 01, 2008 at 11:39:32PM +0100, Enrico Zini wrote: > On Thu, May 01, 2008 at 04:46:00PM -0400, Roberto C. Sánchez wrote: > > > I am curious how you could craft an upload that would use a key > > (ostensibly not your own, since you would know what you are uploading > > anyway) where you could use some random DD's key to do the upload > > without an email going to that DD. It seems like you would need to > > forge the GPG signature. > > For example, you have several IDs in your key. If I have reason to > believe that you don't receive mail in one of them (for example, I can > notice that a domain has expired, or I can send fake spam to all of them > and see if one bounces), then I can use that address in Maintainer: and > Changed-by:, and dak will mail there. > Yes, but it will also mail you at your @debian.org email since your key was used to sign the upload. The specific example you cite would happen regardless if you used any non-existent or bogus email address.
> But regardless of specific examples, this is an extra, complementary > layer of security. The GPG key is our most important security token, > and a way to track its usage is the least that we should have. > > Whether it belongs to QA or ftp-master, is what I'm trying to find out. > Right. I am not really disputing the usefulness (it might be kind of neat to be able to map Maintainer/Changed-By addresses to the key(s) used to upload for those addresses. I was just wondering about how it might mean that something could be uploaded without an email going to some DD somewhere along the way. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature