Re: A thought experiment regarding tag2upload and trust

To: debian-vote@lists.debian.org
Subject: Re: A thought experiment regarding tag2upload and trust
From: Russ Allbery <rra@debian.org>
Date: Sun, 16 Jun 2024 22:23:41 -0700
Message-id: <[🔎] 87cyogywf6.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20240617050019.oxmnjavykm465ma2@shell.thinkmo.de> (Bastian Blank's message of "Mon, 17 Jun 2024 07:00:19 +0200")
References: <[🔎] 87wmmvrubl.fsf@melete.silentflame.com> <[🔎] 874j9u8tnu.fsf@hands.com> <[🔎] 20240617050019.oxmnjavykm465ma2@shell.thinkmo.de>

Bastian Blank <waldi@debian.org> writes:

> But maybe you can answer the question:  Given the .dsc file, how can
> you, and more critical the public, verify that you and only you signed
> that upload?

Why is this, specifically, important?

I can turn that question around: given the .dsc file, how can I find the
Git tree that the maintainer vetted and intended to upload to the archive?
Why should I have any faith in the archive if I cannot verify that?

I don't think this is a useful way to talk about the security guarantees
that we can provide.  You are massively overindexing on a very specific
implementation detail that does not prove what you seem to think it
proves.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: A thought experiment regarding tag2upload and trust
  - From: Scott Kitterman <debian@kitterman.com>

References:
- [RFC] General Resolution to deploy tag2upload
  - From: Sean Whitton <spwhitton@spwhitton.name>
- A thought experiment regarding tag2upload and trust
  - From: Philip Hands <phil@hands.com>
- Re: A thought experiment regarding tag2upload and trust
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: Re: A thought experiment regarding tag2upload and trust
Next by Date: Re: Security review of tag2upload
Previous by thread: Re: A thought experiment regarding tag2upload and trust
Next by thread: Re: A thought experiment regarding tag2upload and trust
Index(es):
- Date
- Thread