Re: [RFC] General Resolution to deploy tag2upload

To: Scott Kitterman <debian@kitterman.com>
Cc: debian-vote@lists.debian.org
Subject: Re: [RFC] General Resolution to deploy tag2upload
From: Russ Allbery <rra@debian.org>
Date: Sun, 23 Jun 2024 08:48:09 -0700
Message-id: <[🔎] 87o77ru0cm.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 3546684.lDQCse9B6I@zini-1880> (Scott Kitterman's message of "Sun, 23 Jun 2024 11:40:15 -0400")
References: <[🔎] 87wmmvrubl.fsf@melete.silentflame.com> <[🔎] 72efd7b6-af2c-4adb-b74c-953504bdd72f@debian.org> <[🔎] 87a5jbvh9l.fsf@hope.eyrie.org> <[🔎] 3546684.lDQCse9B6I@zini-1880>

Scott Kitterman <debian@kitterman.com> writes:

> First, as I understand the position of the FTP Masters involved in this
> discussion (for clarity, I'm a non-delegated member of the FTP Team
> (i.e. FTP Assistant)), their view is that determining if an upload is
> from a person authorized to upload to the Debian archive is a function
> that is within the scope of their delegated authority and the current
> tag2upload proposal takes over that function.

As mentioned in the summary, I believe we've found a resolution to this
problem provided that the FTP team is willing to implement the protocol I
described in dak, which Ansgar seemed supportive of.  That allows them to
do both the authentication and authorization check directly on the Git tag
signed by the uploader, which means the trust extended to tag2upload is
then almost precisely equivalent to the trust extended to a binary buildd:
start from an independently-verified maintainer-signed thing and produce a
build artifact.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Scott Kitterman <debian@kitterman.com>

References:
- [RFC] General Resolution to deploy tag2upload
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Simon Richter <sjr@debian.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Russ Allbery <rra@debian.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Scott Kitterman <debian@kitterman.com>

Prev by Date: Re: Summary of the current state of the tag2upload discussion
Next by Date: Re: [RFC] General Resolution to deploy tag2upload
Previous by thread: Re: [RFC] General Resolution to deploy tag2upload
Next by thread: Re: [RFC] General Resolution to deploy tag2upload
Index(es):
- Date
- Thread