tag2upload key installation

To: ftpmaster@ftp-master.debian.org
Cc: debian-vote@lists.debian.org, leader@debian.org, Sean Whitton <spwhitton@spwhitton.name>
Subject: tag2upload key installation
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Mon, 28 Apr 2025 14:16:37 +0100
Message-id: <[🔎] 26639.32693.456578.974514@chiark.greenend.org.uk>

Hi, FTP Team:

How is your implementation work on dak, of the additional checks you
said you'd do for tag2upload, coming along?  Do you need any further
information or help from us ?

Can you please tell us when you think you'll be ready for the first
test upload ?

Thanks,
Ian.


Recap for those who may not have been following things:

tag2upload is a system for allowing every DD and DM to upload simply
by signing a git tag.  It has been blocked for 5 years, ostensibly
because of "security" concerns considered unfounded by other teams.
It's had a thorough independent security review by Russ Allbery.

 6 years ago

  Prototype of tag2upload was demonstrated live in Curitiba,
  We discussed tag2upload on debian-devel.  The proposal was
  unambiguousloy rejected by the FTP Team.

  We spent the next few years trying to go via various DPLs
  and other project grandees.

 ~5 years ago:

  We sent a draft GR to -vote, suggesting overruling the FTP Team.

 ~10 months ago:

  Only after our GR is formally proposed and seconded, the FTP Team
  eventually offer a compromise, which we accept.

  The FTP Team could have started their implementation work.

 3.5 months ago:

  Our Delegation was instituted by the DPL (after consultation with
  the FTP Team and others, of course).

 6 weeks ago

  We generated our production key and we asked for it to be installed.
  We discovered that the FTP Team had done nothing, and they initially
  replied abusively and with a flat "no".

  At this point tag2upload could have been operational right away
  without their extra work, with something this three line patch:
      https://salsa.debian.org/iwj/dak/-/commits/t2u-minimal

  Eventually the FTP Team gave us a date by which the key would be
  installed.

 4 weeks ago

  The completion date promised by FTP Team passes without them having
  written a single line of code.

  We once again suggest a GR.  After a bit of debate, they start on
  the implementation work for their extra checks.

 3 weeks ago:

  Last we heard from the FTP team, here on -vote.


-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.  

Pronouns: they/he.  If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

Reply to:

Follow-Ups:
- Re: tag2upload key installation
  - From: Joerg Jaspert <joerg@debian.org>

Prev by Date: Re: language (Re: Proposal -- Interpretation of DFSG on Artificial Intelligence (AI) Models)
Next by Date: Re: Re: Proposal -- Interpretation of DFSG on Artificial Intelligence (AI) Models
Previous by thread: Debian Project Leader Election 2025 Results
Next by thread: Re: tag2upload key installation
Index(es):
- Date
- Thread