Thorsten,
Doesn't seem to specify the protocol clearly. Yes, I know FTP sucks. But what's the simple alternative for anonymous uploads?That’s the point – WHY should these uploads be anonymous? In my opinion, they must NOT be anonymous. (Not that we’d need the name of the uploader but the uploads are at least roughly authorised that way.)
Uploads are authorized by way of a signed .changes file. Who uploads once signed does not matter. Everything not referenced in a signed .changes file should always be deleted from the upload queue.
By all means, use ssh upload if you prefer. I'm just worried about having to keep track of uploader ssh keys.
dupload used to have a ssh upload queue option. Even a rsync over ssh one. If we use either, I don't see the need for signed log files.Logfiles aren’t uploaded with dput or dupload. They’re ignored by these tools, as they’re not listed in the .changes file. Uploading logs is totally orthogonal to uploading packages.
You're right there - logfiles are unsigned so there needs to be some authentication perhaps.
Upload a detached signature alongside the logfile? Cheers, Michael