Hi On Sat, Jun 15, 2024 at 11:03:17AM +0200, Philip Hands wrote: > If Ian were to offer a hosting service for such personal tag2upload > instances, in a way that he assured me could not be used to sign > packages unless I had signed a matching git-tag, I would be willing to > trust his assurances, and may well take him up on the offer.
I don't actually think that the keyring people or DSA would do very kindly with that. > If that's OK, but tag2upload as proposed is not, are we really drawing a > line based on what name is on the signing key? If the service is able to provide a verifiable chain of source. But exactly this part is missing. But maybe you can answer the question: Given the .dsc file, how can you, and more critical the public, verify that you and only you signed that upload? > Would it make any difference to the FTP masters if there was some way > for me to assert that I trust the tag2upload service/key to build/sign > source packages for me? It is not about you, it is about the public and their trust in the integrity of the Debian archive. > Of course, without something describing exactly what the problem is from > the FTP master's point of view, it's very hard to judge the merits of > their position. Hu? This was done several times and every time disregarded. Bastian -- Kirk to Enterprise -- beam down yeoman Rand and a six-pack.
