Re: tag2upload service architecture and risk assessment - draft v2

To: Tobias Frost <tobi@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: tag2upload service architecture and risk assessment - draft v2
From: Russ Allbery <rra@debian.org>
Date: Wed, 28 Aug 2019 08:55:33 -0700
Message-id: <[🔎] 874l21b7yi.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20190828061725.GA28759@coldtobi.de> (Tobias Frost's message of "Wed, 28 Aug 2019 08:17:26 +0200")
References: <[🔎] 23900.11950.21756.780115@chiark.greenend.org.uk> <[🔎] 23909.24490.724219.512423@chiark.greenend.org.uk> <[🔎] 23909.26130.546529.438293@chiark.greenend.org.uk> <[🔎] 3434823.CiSL2mD1TX@l5580> <[🔎] 87r256xiix.fsf@hope.eyrie.org> <[🔎] 20190828061725.GA28759@coldtobi.de>

Tobias Frost <tobi@debian.org> writes:

> Not sure if I understood this correctly, but the MIA team (via echolon?)
> uses the information to tell us if there is an upload from a prossible
> MIA person. (IOW the person is still active.)
> I also use who-uploads occasionally to see if a sponsor knows about
> where-abouts of some possible MIA persons.

One of the things I'm trying to understand is if the cryptographic
signature part is important, or if metadata about who uploaded a package
last without a cryptographic binding to the *.dsc file would solve the
same use case.

For who-uploads, I think you just need a trusted metadata store somewhere,
and recovering this from the PGP signatures on *.dsc files is not a great
trusted metadata store (among other things, it's tedious and complicated
to search).

The cryptographic binding becomes important if we for some reason don't
trust archive upload records maintained by DAK, and I'm not sure of a use
case for that.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- tag2upload service architecture and risk assessment - draft v2
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Scott Kitterman <debian@kitterman.com>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Russ Allbery <rra@debian.org>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Tobias Frost <tobi@debian.org>

Prev by Date: Re: tag2upload service architecture and risk assessment - draft v2
Next by Date: Re: Consensus Call: Git Packaging Round 1
Previous by thread: Re: tag2upload service architecture and risk assessment - draft v2
Next by thread: Re: tag2upload service architecture and risk assessment - draft v2
Index(es):
- Date
- Thread