Re: Planned changes to Debian Maintainer uploads
On Sun, Jun 10, 2012 at 7:57 PM, Ansgar Burchardt wrote:
> The ftp team wants to change how allowing Debian Maintainers to upload
> packages works.
Excellent, I have wanted this change for a while.
> The current approach with the DM-Upload-Allowed field
> has a few issues we would like to address:
In addition, it is easy for DDs to miss the addition of DMUA in
initial uploads and later ones. For example one of the ftp sponsored
adding DMUA to a package while the sponsored-maintainer wasn't and
still isn't a DM.
> We plan to instead implement an interface where developers upload a
> signed command file to ftp-master to grant upload permissions instead,
> similar to dcut. This could end up looking similar to this:
How about adding a timestamp to avoid replay attacks?
> Here "Allow" would add additional packages to the list of packages the
> Debian Maintainer (identified by his key fingerprint) may upload.
> "Deny" would be used to revoke this permission again. Any DD may use
> this to grant/revoke upload permissions to existing packages (ie. at
> least in NEW); referring to non-existing packages will be an error (at
> least for Allow).
Should that not be restricted to DDs who can upload? Since we have
non-uploading DDs, since those aren't trusted to upload, should they
be trusted to give upload permissions to others?
> Please note that we currently do not know when we might get around to
> implement these changes.
I had intended to try and look at this during DebCamp.