Re: tag2upload service architecture and risk assessment - draft v2

To: Russ Allbery <rra@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: tag2upload service architecture and risk assessment - draft v2
From: Tobias Frost <tobi@debian.org>
Date: Wed, 28 Aug 2019 08:17:26 +0200
Message-id: <[🔎] 20190828061725.GA28759@coldtobi.de>
In-reply-to: <[🔎] 87r256xiix.fsf@hope.eyrie.org>
References: <[🔎] 23900.11950.21756.780115@chiark.greenend.org.uk> <[🔎] 23909.24490.724219.512423@chiark.greenend.org.uk> <[🔎] 23909.26130.546529.438293@chiark.greenend.org.uk> <[🔎] 3434823.CiSL2mD1TX@l5580> <[🔎] 87r256xiix.fsf@hope.eyrie.org>

On Tue, Aug 27, 2019 at 05:04:06PM -0700, Russ Allbery wrote:
> Scott Kitterman <debian@kitterman.com> writes:
> 
> > As an example, I recall concerns about there not being an uploader
> > signature on the source anymore, so we would lose the ability to verify
> > from the archive who was responsible for the upload.
> 
> Does anyone do this?  Does it work today?
> 
> I'm dubious that you would be able to successfully verify all of the
> archive from *.dsc signatures now.  Maybe you would be able to verify the
> pieces that are the most important to you, though?
> 
> I think this requirement is a bit incomplete, in that I don't understand
> the use case that would lead you to want to do this.  It's more of a
> description of an implementation strategy than a use case, which makes it
> hard to find other ways of accomplishing the same use case.

Not sure if I understood this correctly, but the MIA team (via echolon?)
uses the information to tell us if there is an upload from a prossible
MIA person. (IOW the person is still active.)
I also use who-uploads occasionally to see if a sponsor knows about
where-abouts of some possible MIA persons.

> -- 
> Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
>

Reply to:

Follow-Ups:
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Russ Allbery <rra@debian.org>

References:
- tag2upload service architecture and risk assessment - draft v2
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Scott Kitterman <debian@kitterman.com>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: tag2upload service architecture and risk assessment - draft v2
Next by Date: Re: tag2upload service architecture and risk assessment - draft v2
Previous by thread: Re: tag2upload service architecture and risk assessment - draft v2
Next by thread: Re: tag2upload service architecture and risk assessment - draft v2
Index(es):
- Date
- Thread