Re: Building Debian source packages reproducibly (was: Re: [RFC] Proposal for new source format)

To: debian-devel@lists.debian.org
Subject: Re: Building Debian source packages reproducibly (was: Re: [RFC] Proposal for new source format)
From: Scott Kitterman <debian@kitterman.com>
Date: Mon, 28 Oct 2019 09:55:27 -0400
Message-id: <[🔎] 3619148.rgn0uvbNJu@l5580>
In-reply-to: <[🔎] 20191028134536.GA4404@mit.edu>
References: <[🔎] 20191022032257.t6dq3xbvys547qar@shell.thinkmo.de> <[🔎] 7248482.4r3n416ZZV@odyx.org> <[🔎] 20191028134536.GA4404@mit.edu>

On Monday, October 28, 2019 9:45:36 AM EDT Theodore Y. Ts'o wrote:
> On Mon, Oct 28, 2019 at 10:05:11AM +0100, Didier 'OdyX' Raboud wrote:
> > Where I'm coming from is that we were discussing the tag2upload problem at
> > miniDebConf Vaumarcus. The heart of the problem is that FTP-Master are
> > (currently) not going to accept .dscs built reproducibly by a (even
> > trusted) service. tag2upload is built on the idea that a signed git tag
> > is the only needed thing (`git tag -s`) to trigger an upload, and that is
> > not going to fly currently.
> 
> Ah, now I understand the problem you're trying to solve; thanks for
> the context.
> 
> What are FTP Master's objections?  Given that they *do* accept a
> source-only upload, which is just a signed dsc plus the source/debian
> tarballs, I would presume all that would be necessary is 
> demonstate that we have tools which can reliably translate between a
> git commit and the dsc plus source tarball, and (b) that the git tree
> is stored in Debian project infrastructure so we can be assured that
> it can be stored with the same level of assurance as where we store
> the source tar files.
> 
> Do they have other concerns?  If so, what are they?  I would be
> surprised that it has anything at all to do with reliable builds,
> given the acceptance of source-only uploads today.

My recollection of the discussion is that they key (pun intended) factor is 
signed by who.  Currently all uploads are signed by an individual authorized 
to upload the package to the archive.  The tag2upload proposal is premised on 
such keys being replaced by a single service based signing key.

Effectively tag2upload would replace DAK as the entry point for packages into 
the archive (the equivalent to the current source package signature 
verification being the git tag signature verification).  I don't think the 
discussion got to a point where a path forward that was considered reasonable 
by both the tag2upload developers and the FTP Masters was reached.

There was a fair amount of discussion on this point in the tag2upload threads.

Scott K

Reply to:

Follow-Ups:
- Re: Building Debian source packages reproducibly (was: Re: [RFC] Proposal for new source format)
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- [RFC] Proposal for new source format
  - From: Bastian Blank <waldi@debian.org>
- Building Debian source packages reproducibly (was: Re: [RFC] Proposal for new source format)
  - From: Didier 'OdyX' Raboud <odyx@debian.org>
- Re: Building Debian source packages reproducibly (was: Re: [RFC] Proposal for new source format)
  - From: "Theodore Y. Ts'o" <tytso@mit.edu>

Prev by Date: Re: Building Debian source packages reproducibly (was: Re: [RFC] Proposal for new source format)
Next by Date: Summary: BLAS/LAPACK Ecosys Massive Update
Previous by thread: Re: Building Debian source packages reproducibly (was: Re: [RFC] Proposal for new source format)
Next by thread: Re: Building Debian source packages reproducibly (was: Re: [RFC] Proposal for new source format)
Index(es):
- Date
- Thread