Re: [RFC] General Resolution to deploy tag2upload

To: Ian Jackson <ijackson@chiark.greenend.org.uk>, Helmut Grohne <helmut@subdivi.de>
Cc: Ansgar 🙀 <ansgar@43-1.org>, Sean Whitton <spwhitton@spwhitton.name>, debian-vote@lists.debian.org
Subject: Re: [RFC] General Resolution to deploy tag2upload
From: Joerg Jaspert <joerg@debian.org>
Date: Wed, 12 Jun 2024 23:23:27 +0200
Message-id: <[🔎] 871q51onxs.fsf@ganneff.de>
In-reply-to: <[🔎] 26217.39029.509566.207415@chiark.greenend.org.uk>
References: <[🔎] 87wmmvrubl.fsf@melete.silentflame.com> <[🔎] 1d18bfee6b3b6beec5a9804d1e879339f0edee90.camel@43-1.org> <[🔎] 20240612090822.GA3640953@subdivi.de> <[🔎] 26217.39029.509566.207415@chiark.greenend.org.uk>

On 17258 March 1977, Ian Jackson wrote:

> And we also remove the Debian Maintainer role as dak would no> longer
> know who uploaded the package? Debian is larger than only Debian
> Developers.
This is a policy aspect. When we need to revoke a key used foruploading
this happens via keyring maintainers as far as I understand, but in
urgent cases it is ftp master who can also deny upload rights more
quickly than via a keyring update. In moving to tag2upload as aservice
external to ftp, we partially move this capability from ftp master to
the entity running tag2upload (DSA afaiui). Is there a sensible wayto
leave this policy aspect with the ftp team when using the tag2upload
service? In effect, I'm asking whether ftp could somehow provide an
authorization oracle to be used by tag2upload.
tag2upload leaves this policy with the ftpmaster team.  It uses the
archive keyrings and dak's list of Debian Maintainers.

So there is no change here.


Actually, we can set acls on fingerprints and then that key wont be able
to upload anymore. That is not something recorded in the keyrings or the
DM list. Obviously that is not something used often (really really
seldom), it is more for "this key is compromised badly, please turn off

anything with it *NOW*" situations, which it's what Helmut meant withthe

urgent cases.

--
bye, Joerg

Reply to:

Follow-Ups:
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Sean Whitton <spwhitton@spwhitton.name>

References:
- [RFC] General Resolution to deploy tag2upload
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Ansgar 🙀 <ansgar@43-1.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Re: [RFC] General Resolution to deploy tag2upload
Next by Date: Re: [RFC] General Resolution to deploy tag2upload
Previous by thread: Re: [RFC] General Resolution to deploy tag2upload
Next by thread: Re: [RFC] General Resolution to deploy tag2upload
Index(es):
- Date
- Thread