My bank is sending me an e-mail every time I log into the home banking system, so that I can spot malicious logins.
My credit card is sending me a SMS message every time it gets charged, so that I can spot mailicious charges.
Can I get a notification of every Debian upload done with my key, so that I can spot if my key has been stolen?
Let's work on that. As a start, thanks to Ganneff, here is how to do a one-off audit:
# go to merkel to access projectb, which is the postgresql database # with all dak information $ ssh merkel merkel$ psql projectb # look up the database id of my fingerprint projectb=> select id, fingerprint from fingerprint where fingerprint like '%797EBFAB'; id | fingerprint -----+------------------------------------------ 394 | 66B4DFB68CB24EBBD8650BC4F4B4B0CC797EBFAB (1 row) # get a list of all uploads done with my key, sorted by date projectb=> select * from source where sig_fpr=394 order by install_date desc;
First you get to do it (done); then you document it (done); then you automate it. It's quite trivial at this point, so enjoy the new Debian upload monitor.
It's got search as you type to find your full fingerprint, then you get an HTML page with the log of your uploads in the last 2 months, and the page has an RSS feed that you can use to track your own uploads.
Also, generating all this static content is acceptably fast:
merkel$ time ./deb-key-audit real 0m7.145s user 0m4.244s sys 0m0.384s
If you want to see the code, you can
git clone http://merkel.debian.org/~enrico/keylog.git
Currently it wrongly encodes UTF-8 characters: I suppose the strings come out of the database as ASCII instead of UTF-8. A patch would be welcome to fix that.
I will now contact QA to see what we can do with it; if it ends up fitting in some bigger picture then it may be that the RSS links will change, but I'll post about it in that case.