Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition

To: Henrique de Moraes Holschuh <hmh@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition
From: Philipp Kern <pkern@debian.org>
Date: Sat, 15 Feb 2014 17:14:44 +0100
Message-id: <[🔎] 43b8290b3d8f1f2f37b01636e93370ad@hub.kern.lc>
In-reply-to: <[🔎] 20140215143421.GB5400@khazad-dum.debian.net>
References: <[🔎] 1392295131.23481.82943513.2A8023E7@webmail.messagingengine.com> <[🔎] 201402131713.36134.holger@layer-acht.org> <[🔎] CANBHLUiZS-YU8-NnoJv7Z7fYYxSdMrL-6fF2zgeSkQV8JC4OJA@mail.gmail.com> <[🔎] 201402132217.51462.holger@layer-acht.org> <[🔎] 20140213235201.GA2646@riva.ucam.org> <[🔎] 20140214130140.GC7120@grep.be> <[🔎] 20140214131038.GA20145@jwilk.net> <[🔎] 20140214153925.GF16994@grep.be> <[🔎] 20140214154216.GA2805@helios.pault.ag> <[🔎] 38ac36ebdcf91d9faeed2039ab3694dd@hub.kern.lc> <[🔎] 20140215143421.GB5400@khazad-dum.debian.net>

On 2014-02-15 15:34, Henrique de Moraes Holschuh wrote:

On Sat, 15 Feb 2014, Philipp Kern wrote:
That's why I was careful to publish the address nowhere. We do some
Unfortunately, that cat is out of the bag, now. Whether it will getspammed
or attacked, I don't know.
However, it is not like we ever could trust the logs anyway for anysecuritypurposes, as they are not signed by the same key that signed therespectivechanges file for the upload. Currently, they're useful for debugpurposes,
and that's it (which is fine).

Yeah, they could be, if sbuild is extended to sign the logs. That said,we do trust our mail-in. We can trust the received headers to somedegree (for timestamps and where the mail came from), but we cannot ruleout on-disk tampering.


Kind regards
Philipp Kern

Reply to:

Follow-Ups:
- Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition
  - From: "Schlacta, Christ" <aarcane@aarcane.org>

References:
- Please upgrade your build environment when you are affected by transition
  - From: Ondřej Surý <ondrej@sury.org>
- when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition
  - From: Holger Levsen <holger@layer-acht.org>
- Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition
  - From: Dimitri John Ledkov <xnox@debian.org>
- Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition
  - From: Holger Levsen <holger@layer-acht.org>
- Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition
  - From: Colin Watson <cjwatson@debian.org>
- Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition
  - From: Wouter Verhelst <wouter@debian.org>
- Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition
  - From: Jakub Wilk <jwilk@debian.org>
- Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition
  - From: Wouter Verhelst <wouter@debian.org>
- Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition
  - From: Paul Tagliamonte <paultag@debian.org>
- Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition
  - From: Philipp Kern <pkern@debian.org>
- Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition
Next by Date: Bug#739064: ITP: liblogging -- easy to use and lightweight logging library
Previous by thread: Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition
Next by thread: Re: when will we finally throw away binary uploads (Re: Please upgrade your build environment when you are affected by transition
Index(es):
- Date
- Thread