Hi, On Mon, 2025-04-21 at 13:39 -0600, Gunnar Wolf wrote: > I am writing to you to help us decide whether it is pertinent to do a > move right now, or whether we should wait for you to implement > anything. > > Bug #1101418 (for which you have been Cc:d already) requests renaming > the Debian keyrings from *.gpg to *.pgp [...] > Guillem kindly prepared some patches to do this, and after some > discussion, added the creation of some symlinks. The result of the > patch in question will be that the keyrings published in > kaufmann.debian.org will be renamed from *.gpg to *.pgp, and that > symlinks will be created preserving the original names; in the > future, we might work towards removing the ymlinks. > > We need input from DSA to make sure we can perform this change. some > specific points we discussed on IRC are: > > - ftp-master processing > - Email address to db.debian.org > - vote.debian.org > - Validation of mails sent to signed-only lists > > But, of course, other subsystems might also need it. We believe > everything will work transparently if rsync is properly set to mirror > symlinks.
This is primarily my personal thoughts rather than an official DSA ack. To start from the beginning, as it were, the method by which debian.org systems receive updated keyrings is userdir-ldap. The script which pulls the current active keyrings from keyring.d.o to db.d.o (so that they can be deployed by ud-ldap) is https://salsa.debian.org/dsa-team/mirror/dsa-misc/-/blob/master/scripts/sync-keyring?ref_type=heads That script runs from cron every 15 minutes on the db.d.o host. This appears to be the primary point at which rsync's behaviour with respect to symlinks is relevant. The various copy steps each use rsync's "-a" option, so should preserve the symlinks. The final stage of the sync - to "keyring-final" - copies only the files listed in sha512sums.txt, so you would need to ensure that both the .gpg and .pgp files / symlinks are included there. userdir-ldap maintains its own list of keyrings which are deployed to those hosts requesting them (e.g. ftp-master). While the keyrings are copied from db.d.o to each host via rsync, the preparation of the rsync source area uses Python's shutil.copy(), so AFAICS would follow the new symlinks and continue to deploy *.gpg to var/lib/misc/thishost/ on relevant hosts as real files. That should mean that things would continue to work, but does mean that the rename would *not* propagate to client hosts. Regards, Adam
