Re: A thought experiment regarding tag2upload and trust
Hi
On Sat, Jun 15, 2024 at 11:03:17AM +0200, Philip Hands wrote:
> If Ian were to offer a hosting service for such personal tag2upload
> instances, in a way that he assured me could not be used to sign
> packages unless I had signed a matching git-tag, I would be willing to
> trust his assurances, and may well take him up on the offer.
I don't actually think that the keyring people or DSA would do very
kindly with that.
> If that's OK, but tag2upload as proposed is not, are we really drawing a
> line based on what name is on the signing key?
If the service is able to provide a verifiable chain of source. But
exactly this part is missing.
But maybe you can answer the question: Given the .dsc file, how can
you, and more critical the public, verify that you and only you signed
that upload?
> Would it make any difference to the FTP masters if there was some way
> for me to assert that I trust the tag2upload service/key to build/sign
> source packages for me?
It is not about you, it is about the public and their trust in the
integrity of the Debian archive.
> Of course, without something describing exactly what the problem is from
> the FTP master's point of view, it's very hard to judge the merits of
> their position.
Hu? This was done several times and every time disregarded.
Bastian
--
Kirk to Enterprise -- beam down yeoman Rand and a six-pack.
Reply to: