On 19/12/15 04:25, Rod Smith wrote:
> I just wanted to give this bug a kick, because it's still an issue. I
> accidentally deactivated the wrong OpenPGP key, which resulted in an
> apparently-successful upload that then vanished into a black hole, from
> my point of view -- I received no e-mail notifications of either success
> or failure and no indications of problems from dput. The page for the
> PPA showed no hint of any upload. I banged my head against this problem
> for several hours, and it stumped a few people (Canonical employees) who
> I consulted (although in their defense, they didn't know I'd done
> anything with my keys recently). If I'm not mistaken, the e-mail address
> of the person who submitted the package is in the .changes file, so it
> should be possible to fire off an e-mail saying that the OpenPGP key
> didn't check out. This could save newbies, or fumble-fingered folks like
> myself, much head-banging.
But we can't verify the signature, so anybody could have uploaded that
email address via anonymous FTP. That's not a spam vector that we can
sensibly open ourselves up to.
On 19/12/15 04:25, Rod Smith wrote: successful upload that then vanished into a black hole, from
> I just wanted to give this bug a kick, because it's still an issue. I
> accidentally deactivated the wrong OpenPGP key, which resulted in an
> apparently-
> my point of view -- I received no e-mail notifications of either success
> or failure and no indications of problems from dput. The page for the
> PPA showed no hint of any upload. I banged my head against this problem
> for several hours, and it stumped a few people (Canonical employees) who
> I consulted (although in their defense, they didn't know I'd done
> anything with my keys recently). If I'm not mistaken, the e-mail address
> of the person who submitted the package is in the .changes file, so it
> should be possible to fire off an e-mail saying that the OpenPGP key
> didn't check out. This could save newbies, or fumble-fingered folks like
> myself, much head-banging.
But we can't verify the signature, so anybody could have uploaded that
email address via anonymous FTP. That's not a spam vector that we can
sensibly open ourselves up to.