On 15.06.24 11:03, Philip Hands wrote:
If it were easy to deploy an instance of tag2upload in my house, populated with a sub-key of my GPG key, I would probably set that up (and then start worrying about the security of the sub-key đŸ˜‰ ).If I did that, I believe the FTP masters would still accept my uploads.
Why should they not? They don't know that a bot did it.
If Ian were to offer a hosting service for such personal tag2upload instances, in a way that he assured me could not be used to sign packages unless I had signed a matching git-tag, I would be willing to trust his assurances, and may well take him up on the offer.
Same here. Immediately.In fact, if the day had more than 24 hours I would already have an instance up and running – one which probably would be somewhat less secure than an "official", or at least well-maintained, tag2upload service.
-- -- mit freundlichen GrĂ¼ĂŸen -- -- Matthias Urlichs
OpenPGP_signature.asc
Description: OpenPGP digital signature
