Re: tag2upload service architecture and risk assessment - draft v2
On Tue, Aug 27, 2019 at 05:04:06PM -0700, Russ Allbery wrote:
> Scott Kitterman <debian@kitterman.com> writes:
>
> > As an example, I recall concerns about there not being an uploader
> > signature on the source anymore, so we would lose the ability to verify
> > from the archive who was responsible for the upload.
>
> Does anyone do this? Does it work today?
>
> I'm dubious that you would be able to successfully verify all of the
> archive from *.dsc signatures now. Maybe you would be able to verify the
> pieces that are the most important to you, though?
>
> I think this requirement is a bit incomplete, in that I don't understand
> the use case that would lead you to want to do this. It's more of a
> description of an implementation strategy than a use case, which makes it
> hard to find other ways of accomplishing the same use case.
Not sure if I understood this correctly, but the MIA team (via echolon?)
uses the information to tell us if there is an upload from a prossible
MIA person. (IOW the person is still active.)
I also use who-uploads occasionally to see if a sponsor knows about
where-abouts of some possible MIA persons.
> --
> Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
>
Reply to: