Re: tag2upload service architecture and risk assessment - draft v2

To: Russ Allbery <rra@debian.org>
Cc: Tobias Frost <tobi@debian.org>, debian-devel@lists.debian.org
Subject: Re: tag2upload service architecture and risk assessment - draft v2
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Wed, 28 Aug 2019 17:07:00 +0100
Message-id: <[🔎] 23910.42660.697742.117651@chiark.greenend.org.uk>
In-reply-to: <[🔎] 874l21b7yi.fsf@hope.eyrie.org>
References: <[🔎] 23900.11950.21756.780115@chiark.greenend.org.uk> <[🔎] 23909.24490.724219.512423@chiark.greenend.org.uk> <[🔎] 23909.26130.546529.438293@chiark.greenend.org.uk> <[🔎] 3434823.CiSL2mD1TX@l5580> <[🔎] 87r256xiix.fsf@hope.eyrie.org> <[🔎] 20190828061725.GA28759@coldtobi.de> <[🔎] 874l21b7yi.fsf@hope.eyrie.org>

Russ Allbery writes ("Re: tag2upload service architecture and risk assessment - draft v2"):
> For who-uploads, I think you just need a trusted metadata store somewhere,
> and recovering this from the PGP signatures on *.dsc files is not a great
> trusted metadata store (among other things, it's tedious and complicated
> to search).

Also, my proposal includes the original uploader information in
additional .dsc fields.  So wouldn't be hard to teach existing
machineries (which look at the .dsc signer) to use the new
information, and there is no actual need for a new database anywhere.

> The cryptographic binding becomes important if we for some reason don't
> trust archive upload records maintained by DAK, and I'm not sure of a use
> case for that.

In my proposal the source package is reproducible (in the
"reproducible builds" sense) from the uploader's signed git tag.  That
is admittedly less convenient to verify than the just checking the
.dsc signature.

Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to:

Follow-Ups:
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Holger Levsen <holger@layer-acht.org>

References:
- tag2upload service architecture and risk assessment - draft v2
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Scott Kitterman <debian@kitterman.com>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Russ Allbery <rra@debian.org>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Tobias Frost <tobi@debian.org>
- Re: tag2upload service architecture and risk assessment - draft v2
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Consensus Call: Git Packaging Round 1
Next by Date: Re: tag2upload service architecture and risk assessment - draft v2
Previous by thread: Re: tag2upload service architecture and risk assessment - draft v2
Next by thread: Re: tag2upload service architecture and risk assessment - draft v2
Index(es):
- Date
- Thread