1. Forum
  2. Usenet
  3. LINUX.DEBIAN.VOTE

  • tag2upload key installation

    From Ian Jackson@21:1/5 to All on Mon Apr 28 15:20:02 2025
    Hi, FTP Team:

    How is your implementation work on dak, of the additional checks you
    said you'd do for tag2upload, coming along? Do you need any further information or help from us ?

    Can you please tell us when you think you'll be ready for the first
    test upload ?

    Thanks,
    Ian.


    Recap for those who may not have been following things:

    tag2upload is a system for allowing every DD and DM to upload simply
    by signing a git tag. It has been blocked for 5 years, ostensibly
    because of "security" concerns considered unfounded by other teams.
    It's had a thorough independent security review by Russ Allbery.

    6 years ago

    Prototype of tag2upload was demonstrated live in Curitiba,
    We discussed tag2upload on debian-devel. The proposal was
    unambiguousloy rejected by the FTP Team.

    We spent the next few years trying to go via various DPLs
    and other project grandees.

    ~5 years ago:

    We sent a draft GR to -vote, suggesting overruling the FTP Team.

    ~10 months ago:

    Only after our GR is formally proposed and seconded, the FTP Team
    eventually offer a compromise, which we accept.

    The FTP Team could have started their implementation work.

    3.5 months ago:

    Our Delegation was instituted by the DPL (after consultation with
    the FTP Team and others, of course).

    6 weeks ago

    We generated our production key and we asked for it to be installed.
    We discovered that the FTP Team had done nothing, and they initially
    replied abusively and with a flat "no".

    At this point tag2upload could have been operational right away
    without their extra work, with something this three line patch:
    https://salsa.debian.org/iwj/dak/-/commits/t2u-minimal

    Eventually the FTP Team gave us a date by which the key would be
    installed.

    4 weeks ago

    The completion date promised by FTP Team passes without them having
    written a single line of code.

    We once again suggest a GR. After a bit of debate, they start on
    the implementation work for their extra checks.

    3 weeks ago:

    Last we heard from the FTP team, here on -vote.


    --
    Ian Jackson <[email protected]> These opinions are my own.

    Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
    that is a private address which bypasses my fierce spamfilter.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Joerg Jaspert@21:1/5 to Ian Jackson on Tue Apr 29 23:00:01 2025
    On 17578 March 1977, Ian Jackson wrote:

    How is your implementation work on dak, of the additional checks you
    said you'd do for tag2upload, coming along? Do you need any further information or help from us ?

    Can you please tell us when you think you'll be ready for the first
    test upload ?

    It's nearly finished and tests appear to work. Won't be too long now,
    needs review, integration and then actual upload tests.

    --
    bye, Joerg

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sean Whitton@21:1/5 to Joerg Jaspert on Wed Apr 30 04:40:01 2025
    Hello,

    On Tue 29 Apr 2025 at 10:52pm +02, Joerg Jaspert wrote:

    On 17578 March 1977, Ian Jackson wrote:

    How is your implementation work on dak, of the additional checks you
    said you'd do for tag2upload, coming along? Do you need any further
    information or help from us ?

    Can you please tell us when you think you'll be ready for the first
    test upload ?

    It's nearly finished and tests appear to work. Won't be too long now,
    needs review, integration and then actual upload tests.

    Thanks for the update. It does look like things are coming together on
    your branch. Could I ask you to be a little more specific?
    Are we talking one, two or three weeks before we try an upload?

    I'm asking because we're putting together a Debconf talk and want to
    know whether to expect us to be debugging, or in the beta, or what, by
    then.

    Thanks again.

    --
    Sean Whitton

    --=-=-Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmgRi+YZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQNmGD/0c3L+Y9AtzIJfsskAVo5Qc HEmzmX5IsAmw+tEZyWYyJzEvHi+yOJvRlpfHTbYaPWvE07oWoGmf9a60JZiExP3+ VL44EGWjjq11ADC1qePf3k0PRRVox6nA7PTvPQB3ujqh5ZtZSJ2eoCa4xdnz2WFg 0UNW0vWpt2UCa0LTmQJYWW4VT3QL9taWApdSRyD4vxDPFlyqz4zfy/SHZsgnU5kw G+CgaiTjiR/Lf7b/IbYJL+JbPF/mLZbWGGMx0ZMULlDAFgkR5YRqRtXvVtOqtMjv PaxVow02Y8r5AyA3apykbVpzxPjtM1vUku8XK0jJjGk9VfeUIDYkT92eX/g0iw17 pQA6HfCZ8IutWAnI/1qkZzTXnj3GbGzobItRsSFZ5yULdCrwn7pujrT9w/cO6JyF eHHOf6+bP5lge7kyg0mZY7qMdSFxmJtMZ9NcDj6AufUcQztsEO1FIz7lJfXcoMv/ IlC8ccmyZEb+4E0mMEvSdR0MV8U9kRVsVFUlJ5PmMreXmsR/9+Ri+zbatjcOFjTK U+wazrvYYD1DLH3UpFRNPP+O/8DMXUHrRR6nXYyrMzE8cE1pLC0rq2bo5GR0NKwS Tnr3drFIYZjJrb5UA2d7PE4oR1sP6AiuOMDplLclq1RWu4NNPdnbq6kLEd3b8S/i VX6tOlYPRO+qog9NKZRI3A=�1r
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usen
  • From Ian Jackson@21:1/5 to Sean Whitton on Fri May 2 01:20:02 2025
    Sean Whitton writes ("Re: tag2upload key installation"):
    Thanks for the update. It does look like things are coming together on
    your branch. Could I ask you to be a little more specific?
    Are we talking one, two or three weeks before we try an upload?

    Ping?

    --
    Ian Jackson <[email protected]> These opinions are my own.

    Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
    that is a private address which bypasses my fierce spamfilter.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ian Jackson@21:1/5 to But as Sean on Sun May 4 20:00:02 2025
    On Tue 29 Apr 2025 at 10:52pm +02, Joerg Jaspert wrote:
    It's nearly finished and tests appear to work. Won't be too long now,
    needs review, integration and then actual upload tests.

    I'm glad to hear this. But as Sean writes:

    Thanks for the update. It does look like things are coming together on
    your branch. Could I ask you to be a little more specific?
    Are we talking one, two or three weeks before we try an upload?

    Sean asked last week, and I sent a ping, but we haven't had any reply
    at all. Can we please have an answer?

    I've put in the talk proposal that Sean mentioned. In that talk I
    intend that we will:

    * Do a live demo of tag2upload
    * Invite people to join our beta programme

    If for any reason either of those is not possible, I will have to
    explain why in my talk, and I will do so extremely clearly. That
    might well include an explanation of, and request for support in,
    a formal governance action.

    I'm sure we would all very much prefer to avoid this scenario.
    I expect the debugging process to be challenging. Therefore it is
    imperative that we get to that stage as soon as possible.

    Thanks,
    Ian.

    --
    Ian Jackson <[email protected]> These opinions are my own.

    Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
    that is a private address which bypasses my fierce spamfilter.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)