Re: [RFC] General Resolution to deploy tag2upload

To: Joerg Jaspert <joerg@debian.org>
Cc: Sean Whitton <spwhitton@spwhitton.name>, Helmut Grohne <helmut@subdivi.de>, Ansgar 🙀 <ansgar@43-1.org>, debian-vote@lists.debian.org
Subject: Re: [RFC] General Resolution to deploy tag2upload
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Thu, 13 Jun 2024 11:01:40 +0100
Message-id: <[🔎] 26218.50052.107395.941498@chiark.greenend.org.uk>
In-reply-to: <[🔎] 874j9xmdd4.fsf@melete.silentflame.com>
References: <[🔎] 87wmmvrubl.fsf@melete.silentflame.com> <[🔎] 1d18bfee6b3b6beec5a9804d1e879339f0edee90.camel@43-1.org> <[🔎] 20240612090822.GA3640953@subdivi.de> <[🔎] 26217.39029.509566.207415@chiark.greenend.org.uk> <[🔎] 871q51onxs.fsf@ganneff.de> <[🔎] 878qz9q1mm.fsf@melete.silentflame.com> <[🔎] 87plsln7as.fsf@ganneff.de> <[🔎] 874j9xmdd4.fsf@melete.silentflame.com>

Sean Whitton writes ("Re: [RFC] General Resolution to deploy tag2upload"):
>[Joerg Jaspert wrote:]
>> Actually, we can set acls on fingerprints and then that key wont be able
>> to upload anymore. That is not something recorded in the keyrings or the
>> DM list. Obviously that is not something used often (really really
>> seldom), it is more for "this key is compromised badly, please turn off
>> anything with it *NOW*" situations, which it's what Helmut meant with the
>> urgent cases.
[and]
>> *Really* seldom. I would have to dig and see when, especially for the
>> timing thing with keyring team.
> 
> Thanks.  Then possibly it is sufficient for ftpmaster just to disable
> tag2upload's whole key until the keyring update is pushed.

I'm not sure this is a sufficient answer.  We don't want uploads by
revoked keys to appear on *.dgit.d.o either.

Joerg, is there some way that this fingerprint block information could
be made available in a more timely manner?  Ideally we would update
push.dgit.d.o to use this information, regardless of tag2upload.
(And the t2u conversion system should use it too.)

I think maybe we should take this to a different venue, than this
thread on -vote.  How about a bug against ftp.d.o and/or
dgit-infrastructure ?

Thanks,
Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.  

Pronouns: they/he.  If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

Reply to:

Follow-Ups:
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Aigars Mahinovs <aigarius@debian.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Joerg Jaspert <joerg@debian.org>

References:
- [RFC] General Resolution to deploy tag2upload
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Ansgar 🙀 <ansgar@43-1.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Joerg Jaspert <joerg@debian.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Joerg Jaspert <joerg@debian.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: Re: [RFC] General Resolution to deploy tag2upload [and 1 more messages]
Next by Date: Re: [RFC] General Resolution to deploy tag2upload
Previous by thread: Re: [RFC] General Resolution to deploy tag2upload
Next by thread: Re: [RFC] General Resolution to deploy tag2upload
Index(es):
- Date
- Thread