Re: Summary of the current state of the tag2upload discussion

To: Debian vote <debian-vote@lists.debian.org>
Subject: Re: Summary of the current state of the tag2upload discussion
From: Thomas Goirand <thomas@goirand.fr>
Date: Tue, 25 Jun 2024 10:11:58 +0200
Message-id: <[🔎] ec672f56-7d5c-44e0-bf2a-4960ff7fb309@goirand.fr>
In-reply-to: <[🔎] CABpYwDXwRBXp7_MuNeu77mfohmu62rcZmSjp4A3fBAPTt23iSg@mail.gmail.com>
References: <[🔎] 87le2yj5mt.fsf@hope.eyrie.org> <[🔎] 25283742.vu2YLSoAXn@zini-1880> <[🔎] 87sex3u0jw.fsf@hope.eyrie.org> <[🔎] 3094043.Ou6EI2NGLR@zini-1880> <[🔎] CABpYwDVtAjLO3O0J3Ou0Z6bu3vnJyA7GgatW71bb5HhG3Szdow@mail.gmail.com> <[🔎] B6FC8C81-8D5A-4BFC-B4A0-8A330B7718A1@kitterman.com> <[🔎] CABpYwDWTrT5ZwH_vYnd_rRp7qn0iWg+ztQxYM5bjKawnDXKgbA@mail.gmail.com> <[🔎] 6615A5F7-1668-4DA7-8224-DFEA5338262D@kitterman.com> <[🔎] CABpYwDUE-EOgfmQvwRYTXqTF3gdvv76fOJH6E6MULdPJvU3o3g@mail.gmail.com> <[🔎] CC40DDA7-3D8B-4992-A0D8-AABFF27239B4@kitterman.com> <[🔎] CABpYwDXwRBXp7_MuNeu77mfohmu62rcZmSjp4A3fBAPTt23iSg@mail.gmail.com>

On 6/24/24 23:31, Aigars Mahinovs wrote:

There is no cryptographic relationship between the signed source*package* and the actual source. That *is* the problem. Inspecting onething and then signing something else is the problem.

I'm sorry, but I cannot make a reasonable sense of the above, even ifyou're repeating it over, and over and over...

Of course what I expect in a source package is ... my source code! In somany ways, I'm checking what I upload. For example, by using and testingwhat I uploaded. Right, I haven't checked all files checksums one byone. Never the less, I am currently confident that what I uploaded iswhat I expected. That doesn't change much with the workflow you'reproposing, I'd still check that things are working as expected.

But to the contrary of what you're saying, that *is not* the problem.The problem is that you're proposing to sign something, and uploadsomething else, signed by 3rd party CI that you're willing us to blindlytrust. This makes no sense. We want your stamp of approval on the thingyou're actually uploading, not something else. You may as well make asigned request to a REST API, it wouldn't be very different from signinga tag in a random Git repository.


Cheers,

Thomas Goirand (zigo)

Reply to:

Follow-Ups:
- Re: Summary of the current state of the tag2upload discussion
  - From: Matthias Urlichs <matthias@urlichs.de>
- Re: Summary of the current state of the tag2upload discussion
  - From: Aigars Mahinovs <aigarius@gmail.com>

References:
- Summary of the current state of the tag2upload discussion
  - From: Russ Allbery <rra@debian.org>
- Re: Summary of the current state of the tag2upload discussion
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Summary of the current state of the tag2upload discussion
  - From: Russ Allbery <rra@debian.org>
- Re: Summary of the current state of the tag2upload discussion
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Summary of the current state of the tag2upload discussion
  - From: Aigars Mahinovs <aigarius@gmail.com>
- Re: Summary of the current state of the tag2upload discussion
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Summary of the current state of the tag2upload discussion
  - From: Aigars Mahinovs <aigarius@gmail.com>
- Re: Summary of the current state of the tag2upload discussion
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Summary of the current state of the tag2upload discussion
  - From: Aigars Mahinovs <aigarius@gmail.com>
- Re: Summary of the current state of the tag2upload discussion
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Summary of the current state of the tag2upload discussion
  - From: Aigars Mahinovs <aigarius@gmail.com>

Prev by Date: Re: Summary of the current state of the tag2upload discussion
Next by Date: Re: Summary of the current state of the tag2upload discussion
Previous by thread: Re: Summary of the current state of the tag2upload discussion
Next by thread: Re: Summary of the current state of the tag2upload discussion
Index(es):
- Date
- Thread