Re: Summary of the current state of the tag2upload discussion

To: debian-vote@lists.debian.org
Subject: Re: Summary of the current state of the tag2upload discussion
From: Scott Kitterman <debian@kitterman.com>
Date: Mon, 24 Jun 2024 19:02:13 +0000
Message-id: <[🔎] 6615A5F7-1668-4DA7-8224-DFEA5338262D@kitterman.com>
In-reply-to: <[🔎] CABpYwDWTrT5ZwH_vYnd_rRp7qn0iWg+ztQxYM5bjKawnDXKgbA@mail.gmail.com>
References: <[🔎] 87le2yj5mt.fsf@hope.eyrie.org> <[🔎] 25283742.vu2YLSoAXn@zini-1880> <[🔎] 87sex3u0jw.fsf@hope.eyrie.org> <[🔎] 3094043.Ou6EI2NGLR@zini-1880> <[🔎] CABpYwDVtAjLO3O0J3Ou0Z6bu3vnJyA7GgatW71bb5HhG3Szdow@mail.gmail.com> <[🔎] B6FC8C81-8D5A-4BFC-B4A0-8A330B7718A1@kitterman.com> <[🔎] CABpYwDWTrT5ZwH_vYnd_rRp7qn0iWg+ztQxYM5bjKawnDXKgbA@mail.gmail.com>

Do you have any examples of problems that this would have avoided (xz-utils isn't one - due to the way it's releases are done, it wouldn't be suitable for tag2upload)?

Scott K

On June 24, 2024 6:36:59 PM UTC, Aigars Mahinovs <aigarius@gmail.com> wrote:
>Signing something that you did not write and something that you don't read
>is a bad security practice that exposes you to various attacks.
>
>Just because we have been doing this poor security practice for a long time
>does not make it better. Now better methods are possible and we shouldn't
>prevent them from being used just because we are used to the weaker
>approach.
>
>On Mon, 24 Jun 2024, 18:34 Scott Kitterman, <debian@kitterman.com> wrote:
>
>>
>> None of that changes the fact that it's what they signed.  Historically,
>> the project has found that useful and I think it still is.

Reply to:

Follow-Ups:
- Re: Summary of the current state of the tag2upload discussion
  - From: Aigars Mahinovs <aigarius@gmail.com>
- Re: Summary of the current state of the tag2upload discussion
  - From: Philip Hands <phil@hands.com>

References:
- Summary of the current state of the tag2upload discussion
  - From: Russ Allbery <rra@debian.org>
- Re: Summary of the current state of the tag2upload discussion
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Summary of the current state of the tag2upload discussion
  - From: Russ Allbery <rra@debian.org>
- Re: Summary of the current state of the tag2upload discussion
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Summary of the current state of the tag2upload discussion
  - From: Aigars Mahinovs <aigarius@gmail.com>
- Re: Summary of the current state of the tag2upload discussion
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Summary of the current state of the tag2upload discussion
  - From: Aigars Mahinovs <aigarius@gmail.com>

Prev by Date: Re: Summary of the current state of the tag2upload discussion
Next by Date: Re: Summary of the current state of the tag2upload discussion
Previous by thread: Re: Summary of the current state of the tag2upload discussion
Next by thread: Re: Summary of the current state of the tag2upload discussion
Index(es):
- Date
- Thread