Adam D. Barratt dijo [Wed, Apr 23, 2025 at 05:13:07PM +0100]:
Ah, then this would seem to be safe to deploy now, and the file types problem could be fixed later on. I have had several changes for userdir-ldap pending submission, but not this one about shutil.copy(), thanks. Will see how to improve that, and then send patches for userdir-ldap to DSA (I think I already sent out patches for userdir-ldap-cgi)."Probably". If it doesn't work for some reason, however, the effects could include things such as dak no longer accepting any uploads from DDs because it can no longer find their public keys. I'd therefore be tempted to disable both the "pull" and "push" sides on db.d.o shortly before the keyring side is deployed, and test them by hand afterwards. I can't personally guarantee being around at any particular time this week though I'm afraid.
..It makes sense to make sure we have a DSA person available to fix things in case it all bursts up in flames. I was planning on doing this push this Friday, 2025.04.25, in the morning (say, anywhere between 09:00–14:00 GMT-6). Can a DSA member be available in case this messes up something? Otherwise, I think it's better to listen to Adam's instinct and delay the move. It does not necessarily have to be aligned with a "full" keyring push.
Also, (I'm not sure whether I mentioned this before, besides Gunnar), something I noticed while trying to make sense how this all works was that: * At least on usper.debian.org, the /srv/keyring.debian.org/keyrings/ directory contains a non- symlink debian-maintainer.gpg file (missing final «s»).I think that was me fat-fingering something when testing a while back; removed.* On keyring.debian.org there's an extra-keys.pgp leftover(?) file, perhaps as part of some old transition?That I'd have to defer to keyring-maint on.
Oops, this file looks completely fat-fingered as well. It was last touched in May 2018 by keyring:keyring. Inspecting the file with Sequoia treats it as a keyring with 17 mostly malformed certs:$ sq keyring list /tmp/extra-keys.pgp 0. Unsupported Cert: Unsupported primary key: Malformed packet: unknown version
1. Unsupported Cert: Unsupported primary key: Malformed packet: unknown
version
2. Unsupported Cert: Unsupported primary key: Malformed packet: unknown
version
3. Unsupported Cert: Unsupported primary key: Malformed packet: unknown
version
4. Unsupported Cert: Unsupported primary key: Malformed packet: unknown
version
5. 04D5A231C5CC3B9CA2B06FC24AFC280200F2B9F3 Andreas Schuldei (home account)
<andr...@schuldei.org>
6. Unsupported Cert: Unsupported primary key: Malformed packet: unknown
version
7. Unsupported Cert: Unsupported primary key: Malformed packet: unknown
version
8. Unsupported Cert: Unsupported primary key: Malformed packet: unknown
version
9. Unsupported Cert: Unsupported primary key: Malformed packet: unknown
version
10. Unsupported Cert: Unsupported primary key: Malformed packet: unknown
version
11. Unsupported Cert: Unsupported primary key: Malformed packet: unknown
version
12. Unsupported Cert: Unsupported primary key: Malformed packet: unknown
version
13. Unsupported Cert: Unsupported primary key: Malformed packet: unknown
version
14. Unsupported Cert: Unsupported primary key: Malformed packet: unknown
version
15. Unsupported Cert: Unsupported primary key: Malformed packet: unknown
version
16. Unsupported Cert: Unsupported primary key: Malformed packet: unknown
version
17. Unsupported Cert: Unsupported primary key: Malformed packet: unknown
version
Oddly, I have gpg-from-sq installed, but gpg --list-packets works. Still,
it yields too much output for posting here, but with 18 instances of
«:public key packet: [invalid]». The included keys sport signatures created
between 1996 and 2003.
Oh, I see -- Running gpg --list-packets from kaufmann (which is "true"
GnuPG) yields «:key packet: [obsolete version 3]», which I guess is not
suppoted in Sequoia.
The reported userIDs are:
Filip Van Raemdonck
Rick Younie
Marc Brockschmidt
Jarno Elonen
Michael Weber
Andreas Schuldei
Ryan Murray
Siggy Brentrup
Jonathan Hall
Jonathan J. Hall
Torsten Werner
Gerd Knorr
Mattia Monga
Detlev Zundel
Timshel Knoll
Patrick Patterson
Jeremy M. Malcolm
Jean Pierre LeJacq
Thomas Bushnell, BSG
So, it's a list of PGPv3 keys from mostly retired DDs (and I don't know why it was touched on 2018.05.21). Anyway, according to our changelog, I _did_ upload a keyring on said date, so that file is my mistake. I am moving it to my home directory in kaufmann, just to be sure, but I really doubt we will miss it. Thanks for the sharp eye! :-)
signature.asc
Description: PGP signature
