[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Planned changes to Debian Maintainer uploads

On Sun, Jun 10, 2012 at 7:57 PM, Ansgar Burchardt wrote:

> The ftp team wants to change how allowing Debian Maintainers to upload
> packages works.

Excellent, I have wanted this change for a while.

> The current approach with the DM-Upload-Allowed field
> has a few issues we would like to address:

In addition, it is easy for DDs to miss the addition of DMUA in
initial uploads and later ones. For example one of the ftp sponsored
adding DMUA to a package while the sponsored-maintainer wasn't and
still isn't a DM.

> We plan to instead implement an interface where developers upload a
> signed command file to ftp-master to grant upload permissions instead,
> similar to dcut.  This could end up looking similar to this:

How about adding a timestamp to avoid replay attacks?

> Here "Allow" would add additional packages to the list of packages the
> Debian Maintainer (identified by his key fingerprint) may upload.
> "Deny" would be used to revoke this permission again[1].  Any DD may use
> this to grant/revoke upload permissions to existing packages (ie. at
> least in NEW); referring to non-existing packages will be an error (at
> least for Allow).

Should that not be restricted to DDs who can upload? Since we have
non-uploading DDs, since those aren't trusted to upload, should they
be trusted to give upload permissions to others?

> Please note that we currently do not know when we might get around to
> implement these changes.

I had intended to try and look at this during DebCamp.



Reply to: