Roundup Tracker - Issues

Message8419

Author ThomasAH
Recipients ThomasAH, rouilj
Date 2025-12-08.08:04:57
Message-id <20251208085512.921846452.thomas@intevation.de>
In-reply-to <1765146593.87.0.83762454172.issue2551152@roundup-tracker.org> 
* John Rouillard <issues@roundup-tracker.org> [20251207 23:29]:
> Thomas:
> 
> You said:
> 
> > And if a key (or encryption subkey) expires, you can't add new messages to
> > issues where the corresponding user is in the nosy list
> 
> Does this block anybody from adding a message to the issue (via email or http)?
> Or is only the user with the expired key blocked?

It blocks anyone from adding messages.

> Mi initial interpretation made me think all message addition fails when 
> Roundup is unable to create an encrypted nosy email to the user with the expired key.
> But I don't see how that would happen as email is sent in a reactor after the message
> has been added. I also would have expected the user to be able to add a message via HTTP
> since I see the PGP machinery invoked only via the email gateway.

It fails via http as well, users get an internal server error.
(but I haven't tested expired keys in a long time, this was with
Roundup 1.6)

> I would like to add this case to the admin_guide. Also I don't have access to the
> script https://hg.intevation.de/adminton/file/default/shebang/gpg-keyring-check-expire.
> hg.intevation.de is taking too long to respond.

AI training bots :(

They scan all repsitories with all changesets in all possible ways
to vie them just to train their language models. We tried blocking
their IPs or even whole networks, but new ones keep appearing every
other week, so we gave up for now and just configured an automatic
restart of the server every other hour. Just try again, it should
work often enough ... 

But for easier access:

#!/bin/sh
#
# Copyright (C) 2019 by Intevation GmbH
# Authors:
# Thomas Arendsen Hein <thomas@intevation.de>
#
# check if OpenPGP keys in a specific keyring are about to expire

# run check this number of days in the future:
DAYS=60

# regexp of long keyids to ignore:
SOME_KEY="exampleabcd1234" # no encryption subkey
IGNORE="^($SOME_KEY)$"

KEYRING="$HOME/.gnupg/pubring.gpg"

GPG="gpg --no-options --trust-model always --no-default-keyring --keyring $KEYRING"

$GPG --with-colons --list-public-keys \
| awk -F: -v IGNORE="$IGNORE" '$1 == "pub" && $5 !~ IGNORE { print $5 }' \
| while read recipient; do
    echo test | faketime -f +"$DAYS"d $GPG -q -er "$recipient" >/dev/null 2>&1 \
    || $GPG --list-public-keys "$recipient"
done
History
Date User Action Args
2025-12-08 08:04:57ThomasAHsetrecipients: + ThomasAH, rouilj
2025-12-08 08:04:57ThomasAHlinkissue2551152 messages
2025-12-08 08:04:57ThomasAHcreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020