Package: devscripts severity 438679 wishlist retitle 438679 "[dscverify]: please document use of an alias to aid new DD's between keyring updates" thanks
On Tue, 16 Sep 2008 23:50:23 +0100 "Adam D. Barratt" <[EMAIL PROTECTED]> wrote: > Hi, > > On Sat, 2007-08-18 at 23:12 +0100, Neil Williams wrote: > > dscverify relies on the keyring packaged in debian-keyring which has > > not had an upload since 2005. dscverify therefore fails to verify new > > DD's (like me) and wrongly verifies signatures of DD's who may have > > resigned or otherwise had their key removed from the keyring. > > > > Isn't there a way for devscripts to sync the real Debian keyring in > > order to run dscverify, maybe with an '--update' option to refresh the > > local copy? > > > > As it stands, devscripts would be better off without dscverify because > > the results of dscverify are simply untrustworthy. > > There have been three further debian-keyring uploads since this bug was > filed; whilst it may not be completely up-to-date, I'm not sure it's > currently outdated enough to render its use "untrustworthy" (and by > extension this report as "important"). That's fair enough. > The debian-keyring README does include details of how to update a local > copy via rsync, although admittedly it's not as explicit as I thought. > Assuming my memory of previous discussions on the subject is correct, > the copy of the keyring accessible via rsync still isn't the "real" > keyring in terms of what dak will accept - that's a local copy which is > in turn synced with keyring.d.o. In which case, I've changed this bug to a wishlist asking for advice for new DD's who may continue to be caught in this situation on an ongoing basis: $ grep dscverify ~/.bashrc alias dscverify='dscverify --keyring ~/.gnupg/pubring.gpg' Adding that to the manpage for dscverify would be OK to close this bug - along with some explanation of why this can happen. It will help with debian-mentors too - sponsors do need to verify .dsc files from non-DD's. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
pgpTbllQ8F9PD.pgp
Description: PGP signature
