© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0f7b58d
(Get the code!)
In theory, doing authentication is just a matter of tying our existing bits together. Launchpad can validate a GPG signature. bzr can verify that the signed testament is correct. Once we can perform validation, we'll probably want to store this in a database attribute, e.g. an enum.
However, there are many states:
Validated with the committer's key
Validated with some other key
Unknown key
No signature
Signed with a known key, and not valid
Incorrectly signed
No signature will be a very, very common case. Bazaar itself doesn't support checking signatures, so the incentive to sign is small.
I suggest that in the web UI, we mark validated revisions specially, and mark revisions that failed validation specially. Revisions with no signature would display normally.
I'm not sure what to suggest about about revisions signed with some other key. Maybe add extra text saying who signed it if it isn't the committer. This case may be so rare that we don't need to bother with it.