Launchpad itself

code of conduct status after PGP key deactivation

Asked by Phil Pennock

I have updated my account, eventually, so my account is consistent, but it too far too much searching and encountering bugs and misstatements of reality before I could do so, thus I am providing this feedback report.

I had 3 PGP keys in my account; I deactivated the older two (1024/DSA) leaving only one PGP key (4096/RSA). The management page warned "deactivating a key in Launchpad disables all Launchpad features that use that key such as signed codes of conduct".

When I look at my overview, I'm still listed as having signed the code of conduct. When I click on that, to go to +codesofconduct I see one active signature, from 2012-02-12 with a 1024D key and the version signed is v1.1.

When I click "See or sign new code of conduct releases" I'm told that I've signed (and not told that I've only signed an old version, since the current version is v2.0).

When I search for instructions on re-signing the Code, the first few documentation links end up at a page which points back to the page in my account and says to follow the instructions, but the instructions are not present because I've "already signed".

I eventually found <https://help.ubuntu.com/community/GnuPrivacyGuardHowto#Signing_Data> and used the upload link there to provide the clearsigned code of conduct, such that my account now has the current code signed with the current key.

I think that if the code-of-conduct signing status is to change after key revocation, an event should fire such that my status page reflects this in a timely manner instead of claiming everything is happy, when the only signature is with a deactivated key.

I think that if there is a newer version of the code-of-conduct, or the current version is not signed by an active key, then the code of conduct page in the account overview should include the links and action steps to resolve this.

I think that the help page <https://help.launchpad.net/Signing%20the%20Ubuntu%20Code%20of%20Conduct> could do with more links or steps to handle exception situations, instead of assuming that the dynamically generated profile code-of-conduct page will have all the steps listed, at least for as long as it's possible for that page to not include all the steps.

Thanks.

Question information

Language:
English Edit question
Status:
Answered
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
William Grant (wgrant) said : 		#1

Ubuntu decided that the Code of Conduct 2.0 should not require a fresh signature from 1.1 signatories, so it's not necessary nor possible to sign 2.0 in Launchpad if you've already signed 1.1. The same applies to deactivated or expired OpenPGP keys; we just need to know that you as a person have signed the CoC, so there's no need to sign it again with a new key.

Revision history for this message
Phil Pennock (phil.pennock) said : 		#2

In that case, the text in `https://launchpad.net/~USERCODE/+editpgpkeys` needs to be updated, because at present it says:

```
Note: deactivating a key in Launchpad disables all Launchpad features that use that key such as signed codes of conduct.
```

If the impact of disabling a key has changed, then that text needs to go, to avoid sending people on wild goose chases.

Thanks,
-Phil

Can you help with this problem?

Provide an answer of your own, or ask Phil Pennock for more information if necessary.

To post a message you must log in.