Re: tag2upload service architecture and risk assessment - draft v2
On Tuesday, August 27, 2019 8:04:06 PM EDT Russ Allbery wrote:
> Scott Kitterman <debian@kitterman.com> writes:
> > As an example, I recall concerns about there not being an uploader
> > signature on the source anymore, so we would lose the ability to verify
> > from the archive who was responsible for the upload.
>
> Does anyone do this? Does it work today?
>
> I'm dubious that you would be able to successfully verify all of the
> archive from *.dsc signatures now. Maybe you would be able to verify the
> pieces that are the most important to you, though?
>
> I think this requirement is a bit incomplete, in that I don't understand
> the use case that would lead you to want to do this. It's more of a
> description of an implementation strategy than a use case, which makes it
> hard to find other ways of accomplishing the same use case.
I sometimes use who-uploads from devscripts when I want to find out who
actually did an upload. In theory, it could be re-written to support
whatever.
I also check that the signature validates when I download a package from the
archive. I like the fact that this signature connects to a developer key in
the keyring.
That said, I'm not the one who suggested losing this would be a problem in the
previous thread, so I can't say what they were thinking. I just don't think
the threat assessment is a serious response to what people were suggesting.
It would be a mistake to assume silence is concurrence.
I may be wrong, but I think Ian's made up his mind what he wants to do, so
there's not a lot of point in convincing him otherwise.
Scott K
Reply to: