Launchpad itself

Visibly reject FTP uploads done with unrecognized keys

Bug #145853 reported by Christian Reis
4
Affects Status Importance Assigned to Milestone
Launchpad itself
Triaged
Low
Unassigned

Bug Description

We should visibly reject FTP uploads done with unrecognized keys. The way to do this would be change poppy to look the key up in the keyserver, and if it did not exist, raise an error. I know that many tools (such as dput) would probably ignore the error, but it would be nice to synchronously error out, and dput could be changed to notice this.

Revision history for this message
Christian Reis (kiko) wrote :

Low given dput ignores this, but it's an interesting idea.

Changed in soyuz:
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Celso Providelo (cprov) wrote :

we could hook a pre-processor for *.changes file uploads, it would verify the signature and let us know beforehand if it's broken or unknown.

However FTP makes it difficult to warn the user about it. If we are fast enough (which is very unlikely) the only thing we could do on the server site is to abandon the connection and it sounds even worse than swallow the upload as we are doing.

A quick *workaround* would be announcing the rejections (failures) to a public mailing list. What do you think ?

Revision history for this message
Christian Reis (kiko) wrote : Re: [Bug 145853] Re: Visibly reject FTP uploads done with unrecognized keys

On Thu, Sep 27, 2007 at 11:32:27PM -0000, Celso Providelo wrote:
> However FTP makes it difficult to warn the user about it. If we are fast
> enough (which is very unlikely) the only thing we could do on the server

I think a keyserver.internal query should be fast enough.

> site is to abandon the connection and it sounds even worse than swallow
> the upload as we are doing.

Hmmm. Can we not make the upload fail somehow ? Permission denied, or
something like that, before closing the connection?

> A quick *workaround* would be announcing the rejections (failures) to a
> public mailing list. What do you think ?

That's bug #145849.

Revision history for this message
LaserJock (laserjock) wrote :

Seems to me like it would make sense to make dput recognize an error code and display something helpful to the user. dput is the thing that is most immediate to the user.

As far as the mailing list goes, if the person doesn't know enough about the process that they upload without having a key in LP will they know to look at a mailing list to find a rejection?

Celso Providelo (cprov)
tags: added: feature soyuz-upload
Celso Providelo (cprov)
tags: added: poppy
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.