Re: A thought experiment regarding tag2upload and trust

To: debian-vote@lists.debian.org
Subject: Re: A thought experiment regarding tag2upload and trust
From: Matthias Urlichs <matthias@urlichs.de>
Date: Mon, 17 Jun 2024 08:00:38 +0200
Message-id: <[🔎] 72f9c9cd-6288-4664-bb6e-40ab3ca7f43c@urlichs.de>
In-reply-to: <[🔎] 874j9u8tnu.fsf@hands.com>
References: <[🔎] 87wmmvrubl.fsf@melete.silentflame.com> <[🔎] 874j9u8tnu.fsf@hands.com>

On 15.06.24 11:03, Philip Hands wrote:

If it were easy to deploy an instance of tag2upload in my house,
populated with a sub-key of my GPG key, I would probably set that up
(and then start worrying about the security of the sub-key 😉 ).

If I did that, I believe the FTP masters would still accept my uploads.

Why should they not? They don't know that a bot did it.

If Ian were to offer a hosting service for such personal tag2upload
instances, in a way that he assured me could not be used to sign
packages unless I had signed a matching git-tag, I would be willing to
trust his assurances, and may well take him up on the offer.

Same here. Immediately.

In fact, if the day had more than 24 hours I would already have an instance up and running – one which probably would be somewhat less secure than an "official", or at least well-maintained, tag2upload service.

-- 
-- mit freundlichen Grüßen
-- 
-- Matthias Urlichs

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- [RFC] General Resolution to deploy tag2upload
  - From: Sean Whitton <spwhitton@spwhitton.name>
- A thought experiment regarding tag2upload and trust
  - From: Philip Hands <phil@hands.com>

Prev by Date: Re: [RFC] General Resolution to deploy tag2upload
Next by Date: Re: [RFC] General Resolution to deploy tag2upload
Previous by thread: Re: A thought experiment regarding tag2upload and trust
Next by thread: Re: [RFC] General Resolution to deploy tag2upload
Index(es):
- Date
- Thread