send mail on repeated hkp upload
Context: We don't generally send out verification emails when keys are uploaded via the hkp /pks/add
endpoint. The reason is that gpg --send-keys
is traditionally used to upload keys of other people for WoT workflows, and unsolicited emails will make people angry at us :) As one exception, when we see a key for the first time via this upload, we'll send a "welcome" email, based on the assumption that it's a freshly generated key that's being uploaded by its owner.
This MR adds a second exception, where if the same key is uploaded twice within a ratelimit timespan, and there are unpublished email addresses left, we'll send an "upload" email (similar to the welcome email) to its primary address.
The reason this came up is because the pks/add
endpoint has an access pattern of repeated uploads from the same ip within a few minutes that comes up significantly often (I didn't run statistics, but I'd say almost half of pks/add
access?). It's not a complete solution, obviously, but it should cover another few cases that ended up as support emails. I didn't document this feature, and I'm not sure we should due to its heuristic nature ("in gpg4win, hit upload twice to get the email").