Re: Security review of tag2upload

To: debian-vote@lists.debian.org
Subject: Re: Security review of tag2upload
From: Simon Richter <sjr@debian.org>
Date: Thu, 13 Jun 2024 22:59:59 +0900
Message-id: <[🔎] 051c473d-c235-4304-9142-743dbd229315@debian.org>
In-reply-to: <[🔎] 875xudht0x.fsf@kaka.sjd.se>
References: <[🔎] 87wmmv7xdz.fsf@hope.eyrie.org> <[🔎] 875xudht0x.fsf@kaka.sjd.se>

Hi,

On 6/13/24 22:27, Simon Josefsson wrote:

Generally I reach the same conclusion, although I think there are real
security problems with both the existing and the proposed tag2upload
mechanism that we should all be aware of.  It is acceptable to realize
that we cannot protect against all attacks with reasonable costs.

In that case it is kind of disingenuous to highlight the necessity ofthis change by pointing at the xz-utils scenario.


   Simon

Reply to:

Follow-Ups:
- Re: Security review of tag2upload
  - From: Simon Josefsson <simon@josefsson.org>

References:
- Security review of tag2upload
  - From: Russ Allbery <rra@debian.org>
- Re: Security review of tag2upload
  - From: Simon Josefsson <simon@josefsson.org>

Prev by Date: Re: [RFC] General Resolution to deploy tag2upload
Next by Date: Re: [RFC] General Resolution to deploy tag2upload
Previous by thread: Re: Security review of tag2upload
Next by thread: Re: Security review of tag2upload
Index(es):
- Date
- Thread