[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: git & Debian packaging sprint report

Ian Jackson <ijackson@chiark.greenend.org.uk> writes:
> Russ Allbery writes ("Re: git & Debian packaging sprint report"):

>> If so, I think that security model is roughly equivalent to the
>> automatic signing of binary packages by buildds, so probably doesn't
>> introduce a new vulnerability, but my understanding was that the
>> identity of the signature on the source package was used in various
>> other places.  Presumably we would need to introduce some new metadata
>> so that the uploader is mapped properly to the Git tag signer, rather
>> than to some internal identity of the source package construction
>> service.

> I think in general those places are probably mistakes.  But I'm not
> aware of all of them.  One way to look at this is that from the
> archive's point of view this robot is a kind of sponsor.  I don't
> think anything will go badly wrong.

What if I'm actually sponsoring a package and use this tool to upload it?
I feel like overwriting the sponsor information for the package would lose
information.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: