Re: [RFC] General Resolution to deploy tag2upload

To: Sean Whitton <spwhitton@spwhitton.name>
Cc: debian-vote@lists.debian.org
Subject: Re: [RFC] General Resolution to deploy tag2upload
From: Bart Martens <bartm@debian.org>
Date: Sat, 15 Jun 2024 15:04:53 +0200
Message-id: <[🔎] Zm2RdentFGsru3nP@master.debian.org>
In-reply-to: <[🔎] 87wmmvrubl.fsf@melete.silentflame.com>
References: <[🔎] 87wmmvrubl.fsf@melete.silentflame.com>

Hi Sean,

On Wed, Jun 12, 2024 at 06:25:02AM +0800, Sean Whitton wrote:
> BEGIN FORMAL RESOLUTION TEXT
> 
> tag2upload allows DDs and DMs to upload simply by using the
> git-debpush(1) script to push a signed git tag.

Question. Does the tag signer need to trust the remote vcs and its admins at
the moment of tag signing? With a .changes file the signer has full local
control: local source code inspection, local checksums generation, and local
signing. I wonder how tag2upload would offer this level of control without
lowering the value of the signatures.

Cheers,

Bart

Reply to:

Follow-Ups:
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Russ Allbery <rra@debian.org>

References:
- [RFC] General Resolution to deploy tag2upload
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: Re: [RFC] General Resolution to deploy tag2upload
Next by Date: Re: [RFC] General Resolution to deploy tag2upload
Previous by thread: Re: A thought experiment regarding tag2upload and trust
Next by thread: Re: [RFC] General Resolution to deploy tag2upload
Index(es):
- Date
- Thread