Re: Tagging in Salsa -> upload: status?

To: debian-devel@lists.debian.org
Subject: Re: Tagging in Salsa -> upload: status?
From: Ansgar <ansgar@debian.org>
Date: Fri, 14 Aug 2020 09:04:14 +0200
Message-id: <[🔎] 87tux51zf5.fsf@43-1.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 87wo22cnsw.fsf@iris.silentflame.com> (Sean Whitton's message of "Thu, 13 Aug 2020 13:07:27 -0700")
References: <[🔎] 6ce145e3-6667-1c14-0c3f-9bcd7056478e@debian.org> <[🔎] 2390976.S0378I93i7@odyx.org> <[🔎] 87wo22cnsw.fsf@iris.silentflame.com>

Sean Whitton writes:
> Ian and I implemented something along these lines last summer and it's
> available to try from the archive; here is how:
>     <https://spwhitton.name/blog/entry/tag2upload/>
>
> As to the current status: FTP Team members objected to having
> uploader-signed git tags on dgit.debian.org be the canonical record of
> an uploader's intended source package (rather than uploader-signed .dsc
> files stored on other servers), and they objected to the ways in which
> the system relies on git SHA1 hashes.
>
> I still believe that the design is sound and deploying the system can
> and should go ahead, but we could not overcome the disagreement.

There are also other issues such as the system seeming to accepting
uploads from known-compromised keys last I looked at it, though maybe
security experts disagree how much of an issue this is in practice.

Ansgar

Reply to:

Follow-Ups:
- Re: Tagging in Salsa -> upload: status?
  - From: Sean Whitton <spwhitton@spwhitton.name>

References:
- Tagging in Salsa -> upload: status?
  - From: Christian Kastner <ckk@debian.org>
- Re: Tagging in Salsa -> upload: status?
  - From: Didier 'OdyX' Raboud <odyx@debian.org>
- Re: Tagging in Salsa -> upload: status?
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: Re: The "which -s" flag
Next by Date: Re: The "which -s" flag
Previous by thread: Re: Tagging in Salsa -> upload: status?
Next by thread: Re: Tagging in Salsa -> upload: status?
Index(es):
- Date
- Thread