tl;dr:

Dear Andreas:

Would you please make a temporary delegation, to enable tag2upload ?
We think this consists mostly of deploying a 3-line patch to dak.


Discussion
----------

It is now 7 weeks since we asked the FTP Team to install the
tag2upload oracle service's public key on fasolo.

During this time the FTP Team have not communicated with us on a
technical level at all. They have not asked for test data. They hvve
not asked any technical questions. They have not engaged in the
discussions on how the Oracle's public key should be conveyed to dak
on fasolo.

Only after we proposed a draft General Resolution here on -vote, did
the FTP Team finally start the implementation work they say they want,
and which they could have begun a year ago.

That work is still not complete and the FTP Team have refused to give
any indication how long they think it will take. They did previously
promise a date, but that date (31st March) is long past. Indeed, the
FTP Team hardly answer our emails at all.

The delay, and the lack of communication, are intolerable.

Furthermore even if the FTP Team complete their extra programming
work, we naturally expect that there will be teething problems and
snags to work out.

But the FTP Team won't communicate with us on a technical level, and
only reply to emails if vigorously poked here - often not even then.
It doesn't seem like they really want to see tag2upload deployed,
despite notionally saying they support it. We don't expect that snags
and bugs will be resolved in a reasonable timescale, or at all.

For these two reasons, we conclude it is necessary to give someone
else the authority to install the key, so tag2upload can go live.

We therefore hereby formally request that the Debian Project Leader
intervenes, by making a temporary delegation.


Draft Delegation
----------------

We believe we have one volunteer already - Daniel Gr�ber. It would be
much better if this task wasn't done by Sean or me. Daniel: thanks,
and are you still up for this ?

Does anyone else want to volunteer ? You may be able to base your
work on this 3-line patch to dak:
https://salsa.debian.org/iwj/dak/-/commits/t2u-minimal

We suggest a delegation text like this:

Per Debian Constitution 5.1, I hereby delegate the
tag2upload Key Installation Task
to the following Task Delegates:

- Name
- Name

Task description
----------------

1. Install the tag2upload package signing key on fasolo.
(i) in such a way that dak will treat it identically
to a key belonging to a normal uploading DD;
(ii) or some other similar authority or abilities as
is consistent with the tag2upload service's needs,
and seems convenient to the Task Delegates;
(iii) keeping all changes as minimal as possible.

2. Collaborate with the tag2upload Delegates.

3. Collaborate with the FTP Master Delegates, if they express
an interest, but without introducing any significant delay.
Final decisions lie with the Task Delegates.

4. Confirm with the tag2upload Delegates that things are working.
Resolve any problems (with the key, or with other aspects of dak).

5. Document what was done by email to the FTP Master Delegates,
and/or in git, as the Task Delegates consider reasonable.

6. When completed, or if significant obstacles are encountered,
report to the debian-project mailing list.

The Task Delegates should be granted by DSA whatever permissions are
necessary to accomplish the task.

This is a new delegation. It is limited to the duration of the
task, or until withdrawn by present or future Project Leaders.


Thanks,
Ian.


Appendices
==========

Q&A
---

Q. We should give the FTP Team more time / you are pushing too hard.

A. We have been extraordinarily patient.

This project has already been delayed by the FTP Team for half a
decade. Progress has only occurred when it looked like the FTP
Team might be overruled.

See the detailed timeline below.


Q. We should wait unti after the release, so as not to disrupt it.

A. Release activities are independent of these changes to dak. Indeed
the FTP Team have been carrying out unrelated overhaul and QA work
on dak during this time.


Q. The FTP Team should be allowed to focus on processing NEW.

A. Only one FTP Team member ever processes NEW. That FTP Team member
is a hero, and is not involved in this disupute. Their work is
appreciated, and will not be interrupted.

The FTP Team member who is most strongly opposed to tag2upload, is
also the one who is tasked with the additional programming work
they say they want - and that team member has been p

[I don't need CC'ing on replies that go to -vote]
Hi,

Ian Jackson <[email protected]> writes:

tl;dr:

Dear Andreas:

Would you please make a temporary delegation, to enable tag2upload ?
We think this consists mostly of deploying a 3-line patch to dak.

FWIW, I think this is a reasonable request, and it's long past time
tag2upload got unblocked. A delegation by the DPL to get this done feels
like the right organisational tool for the job.

Regards,

Matthew

ObDisclaimer: I know both Ian and Sean personally. That hasn't stopped
me disagreeing with either of them in the past ;-)

--
"At least you know where you are with Microsoft."
"True. I just wish I'd brought a paddle."
http://www.debian.org

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

On Fri 09 May 2025 at 12:02pm +01, Matthew Vernon wrote:

[I don't need CC'ing on replies that go to -vote]
Hi,

Ian Jackson <[email protected]> writes:

tl;dr:

Dear Andreas:

Would you please make a temporary delegation, to enable tag2upload ?
We think this consists mostly of deploying a 3-line patch to dak.

FWIW, I think this is a reasonable request, and it's long past time tag2upload got unblocked. A delegation by the DPL to get this done feels
like the right organisational tool for the job.

Just to confirm, as the other tag2upload Delegate, that I agree.

--
Sean Whitton

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmgd7PgZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQFUMD/0TTj0LygV4O8kGOtsaQkkx 9AJSMl/r3ZqxDrxgyeDHBF27W8ZOdLV4/OleVDPsSazIItz2L5pVQk2M8LnL3kMO 0BAs1mt89aCZtbDdgD9nOPQXk7XoSz9F5+KWZ3li8zAr1IyQCgzqMgAXumZPx8Mw XfD2kCX+Zeec+KBN74uabcr1GQMEkhFl7q5AoAuf+MOL/bf6UmlSYTXBatLF99YE iEKJGOXmYxfBnEfbNb51HW6kfZ6/mKhjgg25rmTbsOQjRUY/ziUAXqu5FlIZqd5g bZtD5/NpFMKiK+B6Hj9fzThKx8YY2kTrZqmAsm7NMxn0viG2jaff9zM4CSO01yQ2 AZ2KSHCkgUCgo5e1U3+HeZe6E8bgbgaT5C+XtlEIkaNgxw+/YzN2cw1H8f6wOGsF NC8MhD4hcWPUA1pdbCKT7RMqJjUOV5I4y4B32oXjsZHrA+kRlkLMFXHd2HfaS015 ZPIkfcWccwIrV1/KHwDFsOqgK84iszTxNGJCyZoOc9HmpKAv0DMZOynITGI7sC6p 45uaP0sXo9xUmRprXndtkj6T3c6roVIjGAWGGVawcl/XMJi01xwkum17iLzy+Fa7 4aAxdAlQz/h+T0beglUdH6Q76A2uC7AYiHDUf1UeB3HQLc0dG1C8N102HrGQh2gq DC/slKPZelgrlF9wU8p71A==smJF
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Us

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------zarmiAn5boSefqoIfxhe7Dbu
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

T24gMDkuMDUuMjUgMTM6MDIsIE1hdHRoZXcgVmVybm9uIHdyb3RlOg0KPiBGV0lXLCBJIHRo aW5rIHRoaXMgaXMgYSByZWFzb25hYmxlIHJlcXVlc3QsIGFuZCBpdCdzIGxvbmcgcGFzdCB0 aW1lDQo+IHRhZzJ1cGxvYWQgZ290IHVuYmxvY2tlZC4NCg0KU2Vjb25kZWQuDQoNCkkgZG9u J3QgaGF2ZSBhbnl0aGluZyB0byBhZGQgdGhhdCBJIGRpZG4ndCB3cml0ZSBvZnRlbiBlbm91 Z2ggYmVmb3JlLCANCmJ1dCBsZXQgbWUgcHV0IGl0IHRoaXMgd2F5OiBXaGlsZSB3YXRjaGlu ZyBJYW4gZXhwb3VuZCBvbiBoaXMgb3BpbmlvbiANCmFib3V0IHRoZSBGVFAgdGVhbSBpbiBK dWx5IHdvdWxkIGNlcnRhaW5seSBiZSBlbnRlcnRhaW5pbmcgKGZvciBzb21lIA0KdmFsdWUg b2YgImVudGVydGFpbmluZyIgYW55d2F5KSBJJ2QgcmF0aGVyIHdlIGF2b2lkIHRoZSByZXN1 bHRpbmcgTFdOIA0KY292ZXJhZ2UuDQoNCi0tIA0KLS0gcmVnYXJkcw0KLS0gDQotLSBNYXR0 aGlhcyBVcmxpY2hzDQoNCg==

--------------zarmiAn5boSefqoIfxhe7Dbu--

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEr9eXgvO67AILKKGfcs+OXiW0wpMFAmgd7GUFAwAAAAAACgkQcs+OXiW0wpNF 0g//d/Zx3eGEH/zLDtUJObt2ecfpuslpmMN00OYojUmMmTZkS8jmLHjUmuJkbJNw/3VliiiwVT+z vqrstSf1yFm3hSCiBdKatRdjHBNGv0RdtUoedp5K62k0mlq9uT2MM5ufKCcU5L0SzKzf9TdRRCXr rOwNe5dAaX2g0axlAr5aCeb5+FmUrVEodDbhvQPw5uWpmz1VLswzjxEOycGI4Nn/htWGwWYH3Bvg 6dKKkVoIl6bsnGRc+4/ciqLb9zW4T3voDIpr3+EvJP944Mm1HrnJVWOKWcdlvquEsDqW6ru6t82z m+8+mmyrLunkUxqH7l4B5QCwS1KIo7gNVm9MirYx5n6R729Z0/0rbjpiMp6rE8w4unbz6EGdQv+Q jjkHSOa1IHWlLAs+1zhxc3nR4jNVIP5xTUJ/V1UZuJq1NT3aG19YtoE5utocOtlxceV5fhIpVwGn eVunsHatZ9dtESNTlxtr6I0dS8XdAVTtP6jaSYri2eNWZ6VZl7t7SSZjt4XKkgzsH0YzIe9V/JNL kpzNLNeDeyM9J8NInARKuV8KBzujjOtZBOtK9FFzy9ZyYJckJ6VFw8c/Kt/FQnOquUTIEJblG8DH 6c7P/qNIrVdn7zrje1sG4ik5Jmf0ZAEfWSQJhPkos41X0Ym6QcpJluQnUpGK4PDPQnYyE4t63zJh zOg=
=+kVo
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, May 09, 2025 at 11:43:22AM +0100, Ian Jackson wrote:

We believe we have one volunteer already - Daniel Gröber. It would be
much better if this task wasn't done by Sean or me. Daniel: thanks,
and are you still up for this ?

Yes.

--Daniel <3

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEV6G/FbT2+ZuJ7bKf05SBrh55rPcFAmgeBYQACgkQ05SBrh55 rPf6dQ//VqObuxfwnpH9GdwhXB0iWUlTjjrmQEi4ggJIhWd1OXaoyWXA9hWHOI5+ I8RtaywY992dWObQoDwJw5peswmpOFlesxJw1u4R41D8MXA/0Cgya1BZs3jQDVuu Ir5NTJg7Aa0DWiGcomoQfc4++O4J0Wb5z5G0JpPs18kau9HG9boRQl9n1YXssq6q nRxqsCA//F/XO1jhDW2cr+EmaadpV/cXrrKSuRmvwzXM2U0L9UZwxmo8KV8zun20 drXl9vsvNU2qylRnDzgilioAieI9YOOaaRJZP7DD6v6TxsqJwbqJQSvHUByX6l9f gYqIk2DZD8VPVE7R7VvoTUrQpw2BXqv0CbBPoL0wV5RUNI7vfL6iaFm02UTAVFbi qNGpBSN8DmaHFbBNxmEgzdlGT59blz+hSWq9FOr4xipaEGoWqbSbL4h124sL/RVn LnsKWA6znA5HRjl3J6Z6ZQDhJL0qt5WzGrhCv8t3mU3lj3mSF+yltuPmpGqLVtSR Lr1uAnWepZSg81W3mDrs0n9dYDLKFjNya//RoX3x9m8xwdO4NjbwmXnikHAcCAFM A9DnKJBfWRc4vfLvZ9Ks+PLGI8ci6Xn5w0qDvOqqf+nE6d7tRM66iPHPZwDgZMWz U9XjEMsfsYX8EOKROXF8Qc1SzaR/MV/McRqTaQFuMwwdwgEuzxg=
=M2He
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 09/05/25 4:13 pm, Ian Jackson wrote:

tl;dr:

Dear Andreas:

Would you please make a temporary delegation, to enable tag2upload ?
We think this consists mostly of deploying a 3-line patch to dak.

Thank you for all the work you (and Sean) have done for tag2upload. I too, agree
that this is the right thing to do here.

I know +1 chains are useless, and I try to avoid them. However, I wanted to express
that I'd have felt very helpless had I been in the same situation as you, provided I
spent an equivalent amount of hours working on tag2upload.

I hope Andreas can do something about it at the earliest.

Thanks,
Nilesh

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Nilesh Patra <[email protected]> writes:

On 09/05/25 4:13 pm, Ian Jackson wrote:

tl;dr:

Dear Andreas:

Would you please make a temporary delegation, to enable tag2upload ?
We think this consists mostly of deploying a 3-line patch to dak.

Thank you for all the work you (and Sean) have done for tag2upload. I too, agree
that this is the right thing to do here.

+1

I know +1 chains are useless, and I try to avoid them. However, I wanted to express
that I'd have felt very helpless had I been in the same situation as you, provided I
spent an equivalent amount of hours working on tag2upload.

Indeed -- I think this is a systematic problem in the Debian community.

One technical way to improve matters is to design technical solutions
that doesn't lead to concentration of power. I'm not saying that any
power is actively mis-used here, it is just that with powers comes responsibilities and for a volunteer organization, and having
responsibilities that aren't easily shared leads to efficiency issues.

I wouldn't really want to find myself in either of the tag2upload OR the
FTP Team in a situation like this, and it is probably frustrating for
both teams. The problem isn't the other team, it is how these things
are setup in the first place.

/Simon

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmghme4UHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFogR4AQDhh87fQj2g wQAbFtaBxpcXxnxAAYZsgDLEkYuODLzQJwEA7QYWXEMtiHpq7DJ7IWiYB3RYlCkQ 4dY8ssADp6gfggg=jNss
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

[adding -vote to the CC]

Hello,

On Mon 12 May 2025 at 03:43pm +02, Philipp Kern wrote:

On 2025-05-12 15:33, Sean Whitton wrote:

On Mon 12 May 2025 at 03:16pm +02, Andreas Tille wrote:

Given this update, I have a few questions for the teams involved:
1. Is a new delegation still needed, or can tests begin without further
formal steps? If the keyring was installed by DSA as part of their
normal responsibilities, the originally proposed delegation might no
longer be necessary--can someone confirm this?

All that has happened is that a copy of the public key is now present on
fasolo. dak still does not trust the key.
Therefore the delegation is still required, until and unless the FTP
team merge and deploy their branch.

AIUI the deployment has happened on Saturday. The merge definitely happened[1].

Kind regards
Philipp Kern

[1] https://salsa.debian.org/ftp-team/dak/-/commits/master?ref_type=HEADS

Thanks.

So: tag2upload's key became ostensibly trusted by dak on Saturday, and
no-one on the FTP Team informed the tag2upload Delegates of this fact.

We found out because the DPL wrote saying "everything is done, right?"
two days later, and I replied saying "huh, don't think so?", and Philipp
kindly let me know that in fact a deployment had occurred.

This is a highly unprofessional way for FTP Team members to be
interacting with (or, failing to interact with) another delegated team.

We should have been invited to perform testing by the FTP Team. Indeed,
I just tried a test upload of dgit-test-dummy, and it was REJECT'd with
a strange error message.

Should we file a bug against ftp.debian.org? Just write an e-mail?
We have no open channel of communication, despite our best efforts.

Let me note, nevertheless, my thanks to Ansgar for the technical work
he's done over the past two weeks.

--
Sean Whitton

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmgiCrkZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQGbvD/41SnW6+Y7264XHvlMe+WEN iC6nDNgFzzTQKf+suTb4w/NmLzLUJceerXL1+jDDsqdA64TBpdlq2xxGkM31iv1+ tN04L7+/X3GT7/7ngmE0MRq6ERN06qCQkGESEoGjxlvWRSevJGyawTJDs+N12Ra5 c7+a60sgKGbi9qn6E/8AipVdHhG9CEytkj/HmjrehlQc2hE4nzQHNxS5WtR/nufA Ag1GJApJByUVHsqQO3xNfZE9tIu2R640ojwg1CYgKPG67BnBIZ8lejOKcL/CFCea G3uYpC3MBLn5q72vm5ezZo/NpqCfj4UkMRn33oevtMbO6juo81FbYtziOXZ0hseb ZjdiqhsvbIgC2FPSWrqGkj8Y5QQdNDFd/EoHHNk1TAxnYYf9q4VOfKYyxFAqyj7B 356RcLabSYBb2oavkP6zfLK8YrhNcc9G3iECoi/SlyVJy9vgqgEebjz1v48QTSSM 405Q3z+8j7U/DlLHk6h+iqa7Yd0iJnJd3oMva452qLCdEk/vqfoMr1BwicgqLG0N twawcvbH61bMbygALq7de+EXrodjddUAZ8VlJ5itYxy/ssoSvtffCo0/NQ4hc+Yh hMaoCqp55O9GD0ecpR/FPXRWaeoQmQ6zUIbTPVFt3rd10uPK6dCyzL0lFTndZHRy i0vuBuxdA4hyspA8NOHQ3w==n/k1
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Us

On Mon, 2025-05-12 at 16:00 +0100, Ian Jackson wrote:

Sean Whitton writes ("Re: tag2upload - request for DPL action"):

We should have been invited to perform testing by the FTP Team. 
Indeed, I just tried a test upload of dgit-test-dummy, and it was
REJECT'd with a strange error message.

Should we file a bug against ftp.debian.org?  Just write an e-mail?
We have no open channel of communication, despite our best efforts.

For reference, here is the error email.  It looks like some part of
the complicated new code failed, but the stderr output doesn't
appeaar in the message, so it's impossible to say what the cause is.

That error being:

tag2upload: invalid metadata: Command '['sudo', '-H', '-u', 'dak-
unpriv', '/srv/ftp-master.debian.org/dak/scripts/debian/wrap- tag2upload-verify', '--audit', '/dev/stdin']' returned non-zero exit
status 1.

That script exists on the ftp-master server, but isn't marked as
executable, which seems a plausible reason for trying to run it via
sudo to be failing.

I assume that's just an oversight on the part of ftp-master.

Regards,

Adam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Sean Whitton writes ("Re: tag2upload - request for DPL action"):

We should have been invited to perform testing by the FTP Team. Indeed,
I just tried a test upload of dgit-test-dummy, and it was REJECT'd with
a strange error message.

Should we file a bug against ftp.debian.org? Just write an e-mail?
We have no open channel of communication, despite our best efforts.

For reference, here is the error email. It looks like some part of
the complicated new code failed, but the stderr output doesn't appeaar
in the message, so it's impossible to say what the cause is.

I can't rule out that this is a bug in our part of the system. But
without cooperative communication on a technical level, it will not be
possible to resolve this, or the next snag.


The situation is as I predicted on Friday:

But the FTP Team won't communicate with us on a technical level, and
only reply to emails if vigorously poked here - often not even then.
It doesn't seem like they really want to see tag2upload deployed,
despite notionally saying they support it. We don't expect that snags
and bugs will be resolved in a reasonable timescale, or at all.

For these two reasons, we conclude it is necessary to give someone
else the authority to install the key, so tag2upload can go live.


Ian.


MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256";
protocol="application/pgp-signature";
boundary="===============7884812330425039811=="
Return-path: <[email protected]>
Envelope-to: [email protected]
Received: from muffat.debian.org ([209.87.16.33])
by chiark.greenend.org.uk (Debian Exim 4.94.2 #2) with esmtp
(return-path [email protected])
id 1uEUEH-0001ps-Hl
for [email protected]; Mon, 12 May 2025 15:34:09 +0100 X-SAUCE-SA-Score: -1.1/-n
Received: from muffat.debian.org ([209.87.16.33])
by chiark.greenend.org.uk (SAUCE v0.9.0)
with esmtp id sauce-2079-1747060-1; 12 May 2025 14:34:05 +0000 (GMT) Received: from [192.91.235.231] (port=56386 helo=fasolo.debian.org)
from C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,CN=fasolo.debian.org,EMAIL=[email protected] (verified)
by muffat.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
(Exim 4.94.2)
(envelope-from <[email protected]>)
id 1uEUEF-00C3mJ-B7
for [email protected]; Mon, 12 May 2025 14:34:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type:
Subject:MIME-Version:To:From:Reply-To:Cc:Content-Transfer-Encoding:Content-ID
:Content-Description:In-Reply-To:References;
bh=PBVf+FaUPzaU6pNMpbBJWlb+NZGjcsTrIVOf00OGWc8=; b=H9MN00XQBq/u+L7aWFSbo/ubjL
bN3QcsXY2my93NaCVrX3wMOaPE+8ZcV9zN22/CjV5w7ybjWYcyJMl4541WDxLsKNb4JuFvArPj+bR
6Vs0am3OQXoiS8sywq4aLDuAYhuoaszjJr2i5M5d0+CZNqas01fT+sI6nfALETaBlh06UVBckZz4A
icUK0enO/h85M4hMPD9RSubWL7m6UYvW+KpcpDWPRz6fVQdX/y3A2QixJVtfoAUFoEphvXjx5mUa7
aiTlAQV+sWNITIeAxfFgdyEygJ0mTyWN1IhQIsjaGIXeS/llBUWjKJmgpfP1vLxhRGzOK0ELFW7ue
Tuos7keQ==;
Received: from dak by fasolo.debian.org with local (Exim 4.94.2)
(envelope-from <[email protected]>)
id 1uEUEB-005PZ3-Dk; Mon, 12 May 2025 14:33:59 +0000
X-DAK: dak process-upload
X-DAK-Rejection: automatic
X-Debian: DAK
X-Debian-Package: dgit-test-dummy
Debian: DAK
Debian-Changes: dgit-test-dummy_1.112_source.changes
Debian-Source: dgit-test-dummy
Debian-Version: 1.112
Debian-Architecture: source
Debian-Archive-Action: reject
Precedence: bulk
Auto-Submitted: auto-generated
Message-Id: <[email protected]>
From: Debian FTP Masters <[email protected]>
To: Ian Jackson <[email protected]>,
<[email protected]>,
Sean Whitton <[email protected]>
Subject: dgit-test-dummy_1.112_source.changes REJECTED
Date: Mon, 12 May 2025 14:33:59 +0000

--===============7884812330425039811==
CONTENT-TRANSFER-ENCODING: quoted-printable
Content-Type: text/plain; charset="utf-8"



tag2upload: invalid metadata: Command '['sudo', '-H', '-u', 'dak-unpriv', '/srv/ftp-master.debian.org/dak/scripts/debian/wrap-tag2upload-verify', '--audit', '/dev/stdin']' returned non-zero exit status 1.



===

Please feel free to respond to this email if you don't understand why
your files were rejected, or if you upload new files which address our concerns.


--==============x84812330425039811=Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCaCIG1wAKCRCb9qggYcy5 IeW3AQD8OCskgXnC+KLQ/Hckq8tpgnn1G7+ULJrbvZSwWG+jTAD/SIQIfLWIpiBZ yF8HAFt9HJM7bYpsL4YAR0AAsmk5JQ8=1vmB
-----END PGP SIGNATURE-----

--==============x84812330425039811==--

--
Ian Jackson <[email protected]> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 17592 March 1977, Adam D. Barratt wrote:

Should we file a bug against ftp.debian.org?  Just write an e-mail?
We have no open channel of communication, despite our best efforts.

"Best efforts", my ass.

For reference, here is the error email.  It looks like some part of
the complicated new code failed, but the stderr output doesn't
appeaar in the message, so it's impossible to say what the cause is.

Best efforts in harrassing and driving people out of Debian...

That script exists on the ftp-master server, but isn't marked as
executable, which seems a plausible reason for trying to run it via
sudo to be failing.

Adjusted, thanks for looking.

--
bye, Joerg

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

tag2upload: invalid metadata: Command '['sudo', '-H', '-u', 'dak-unpriv', '/srv/ftp-master.debian.org/dak/scripts/debian/wrap-tag2upload-verify', '--audit', '/dev/stdin']' returned non-zero exit status 1.

I notice that after the first automated REJECT, we have now got an
automated ACCEPT from dak for this upload. Thanks to the FTP Team for
fixing the root cause of this issue.

Sean and I will need to do some more tests to confirm everything is
working properly. I expect that will take us a few days.

Andreas, thanks for your help. We will let you know if we need
further assistance.

Ian.

--
Ian Jackson <[email protected]> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Ian,

As I've mentioned in several emails, I was AFK over the weekend and
still tried my best to support you during that time. I had some backlog yesterday and only now saw that you "helped me not to forget" something.

In the future, such help is welcome--but please do it in private, not
by breaking list policy.

Your action frames my behaviour as lacking transparency in public. The
opposite is true. I deliberately sent a private message to request clarification because I wasn't entirely sure about the current status.

I consider your action absolutely unacceptable, and I expect this will
not happen again.

Andreas


Am Mon, May 12, 2025 at 02:56:37PM +0100 schrieb Ian Jackson:

Hi, Andreas. It appears that you forgot to forward your message to debian-vote. I'm doing that now.

--
https://fam-tille.de

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi, Andreas. It appears that you forgot to forward your message to debian-vote. I'm doing that now.

Nothing here is or needs to be secret. So we should be doing all this
in public. Given the history here, transparency is vital.

Sean is responding substantively, and I have strongly encouraged him
to CC -vote too.

Ian.


CONTENT-TRANSFER-ENCODING: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Return-path: <[email protected]>
Envelope-to: [email protected]
Received: from stravinsky.debian.org ([82.195.75.108])
by chiark.greenend.org.uk (Debian Exim 4.94.2 #2) with esmtp
(return-path [email protected])
id 1uET1U-0003ZK-F5
for [email protected]; Mon, 12 May 2025 14:16:49 +0100 X-SAUCE-SA-Score: -0.8/-n
Received: from stravinsky.debian.org ([82.195.75.108])
by chiark.greenend.org.uk (SAUCE v0.9.0)
with esmtp id sauce-1686-1747055-1; 12 May 2025 13:16:48 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d�bian.org;
s=smtpauto.stravinsky; h=X-Debian-User:In-Reply-To:Content-Transfer-Encoding:
Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:
Reply-To:Content-ID:Content-Description;
bh=qzrE5L/xJirfzaLYrPt41UIyC61R15Hqej+/Wa03Eus=; b=OKfsF8ep+i/3Ds+eTmsGqzOAMF
oYgONHq6lTvtPAWcTdBqlsBTSa9UN1S338Cow2n5gvXNdRPOJkSOxY2tZIqioE8AnBvRk/ZOggjyE
eo5mCD8MEwLnT37dMRhp3xov8bmPH/orhk2pcXBbKmt784hejcDuvwQziLe4r7fy/fh7Zu3p+vGKF
xUJekv3pTsbAfzmK2ZZt+daMnyRqeBmSaUmaUJTFhHTzai1f6ZHEAZHXRWHe0KEcOdORddAPVGnkb
j8E+NFysZNeGmzQOhsB+lJdcZ7ezQ465NYAiEKRhLJof7PGz5dtXSaw6zB03El8UZImWF37clccF3
vVz/6CWg==;
Received: from authenticated user
by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
(Exim 4.94.2)
(envelope-from <[email protected]>)
id 1uET1T-009nkz-CA; Mon, 12 May 2025 13:16:47 +0000
Received: from andreas by mail.an3as.eu with local (Exim 4.96)
(envelope-from <[email protected]>)
id 1uET1S-0039t0-1K;
Mon, 12 May 2025 15:16:46 +0200
Message-ID: <[email protected]>
References: <[email protected]>
<[email protected]>
In-Reply-To: <[email protected]>
X-Debian-User: tille
From: Andreas Tille <[email protected]>
To: Ian Jackson <[email protected]>
Cc: [email protected],
Daniel =?iso-8859-1?Q?Gr�ber?= <[email protected]>,
[email protected],
Sean Whitton <[email protected]>,
Philipp Kern <[email protected]>
Subject: Re: tag2upload - request for DPL action
Date: Mon, 12 May 2025 15:16:46 +0200

Hi again,

As far as I understood (while I was on VAC last weekend), Philipp Kern
used his DSA hat to do the work needed to move tag2upload forward. This
was confirmed by Ansgar:


Am Sat, May 10, 2025 at 12:06:14PM +0200 schrieb Ansgar 🙀:

Philipp Kern thankfully set up the keyring distribution. So the branch
could be merged now without breaking the running setup.

The keyring is also configured and uploads might work, except for bugs:
I wrote an integration test, but it uses a manually crafted package
which might be slightly wrong.

Given this update, I have a few questions for the teams involved:

1. Is a new delegation still needed, or can tests begin without further
formal steps? If the keyring was installed by DSA as part of their
normal responsibilities, the originally proposed delegation might no
longer be necessary--can someone confirm this?

2. To Ansgar: You had proposed changes to the tag2upload delegation text
Message-ID: <[email protected]>.
Given recent developments, do you think this still needs discussion,
or has your concern been addressed?

3. On team collaboration: It's become quite clear that communication
between the delegated teams (FTP Archives and tag2upload) has been
difficult. I consider this a serious issue. We won't fix a social
problem by reshuffling delegations alone.

Since the draft delegation text mentioned Daniel Gröber, I want to
express thanks for volunteering. Daniel, if you're still willing, I'd
appreciate your view on whether mediation between the teams would be
possible--and in what context or team structure you think that could
work best.

Thanks again to everyone who has pushed this forward despite the
challenges. I hope we're now close to testing a working setup--please
let me know if that's not the case.

Kind regards,
Andreas



Am Fri, May 09, 2025 at 10:38:16PM +0200 schrieb Andreas Tille:

[public list removed from CC]

Hi Ian,

Just to keep you in the loop: while I haven’t formally announced a VAC
on debian-private, I’m effectively offline until Monday.

I’ve sent a brief note to the ftpmaster team list to ask them to share
any concerns or reasons they might have regarding your delegation
request before then.

I’ll revisit the matter once I’m back online.

Thank you for your patience
Andreas.

Am Fri, May 09, 2025 at 11:43:22AM +0100 schrieb Ian Jackson:

tl;dr:

Dear Andreas:

Would you please make a temporary delegation, to enable tag2upload ?
We think this consists mostly of deploying a 3-line patch to dak.

Discussion
----------

It is now 7 weeks since we asked the FTP Team to install the
tag2upload oracle service's public key on fasolo.

During this time the FTP Team have not communicated with us on a
technical level at all. They have not asked for test data. They hvve
not asked any technical questions. They have not engaged in the discussions on how the Oracle's public key should be conveyed to dak
on fasolo.

Only after we proposed a draft General Resolution here on -vote, did
the FTP Team finally start the implementation work they say they want,
and which they could have begun a year ago.

That work is still not complete and the FTP Team have refused to give
any indication how long they think it will take. They did previously promise a date, but that date (31st March) is long past. Indeed, the
FTP Team hardly answer our emails at all.

The delay, and the lack of communication, are intolerable.

Furthermore even if the FTP Team complete their extra programming
work, we naturally expect that there will be teething problems and
snags to work out.

But the FTP Team won't communicate with us on a technical level, and
only reply to emails if vigorously poked here - often not even then.
It doesn't seem like they really want to see tag2upload deployed,
despite notionally saying they support it. We don't expect that snags
and bugs will be resolved in a reasonable timescale, or at all.

For these two reasons, we conclude it is necessary to give someone
else the authority to install the key, so tag2upload can go live.

We therefore hereby formally request that the Debian Project Leader intervenes, by making a temporary delegation.

Draft Delegation
----------------

We believe we have one volunteer already - Daniel Gröber. It would be much better if this task wasn't done by Sean or me. Daniel: thanks,
and are you still up for this ?

Does anyone else want to volunteer ? You may be able to base your
work on this 3-line patch to dak:
https://salsa.debian.org/iwj/dak/-/commits/t2u-minimal

We suggest a delegation text like this:

Per Debian Constitution 5.1, I hereby delegate the
tag2upload Key Installation Task
to the following Task Delegates:

- Name
- Name

Task description
----------------

1. Install the tag2upload package signing key on fasolo.
(i) in such a way that dak will treat it identically
to a key belonging to a normal uploading DD;
(ii) or some other similar authority or abilities as
is consistent with the tag2upload service's needs,
and seems convenient to the Task Delegates;
(iii) keeping all changes as minimal as possible.

2. Collaborate with the tag2upload Delegates.

3. Collaborate with the FTP Master Delegates, if they express
an interest, but without introducing any significant delay.
Final decisions lie with the Task Delegates.

4. Confirm with the tag2upload Delegates that things are working.
Resolve any problems (with the key, or with other aspects of dak).

5. Document what was done by email to the FTP Master Delegates,
and/or in git, as the Task Delegates consider reasonable.

6. When completed, or if significant obstacles are encountered,
report to the debian-project mailing list.

The Task Delegates should be granted by DSA whatever permissions are
necessary to accomplish the task.

This is a new delegation. It is limited to the duration of the
task, or until withdrawn by present or future Project Leaders.

Thanks,
Ian.

Appendices
==========

Q&A
---

Q. We should give the FTP Team more time / you are pushing too hard.

A. We have been extraordinarily patient.

This project has already been delayed by the FTP Team for half a
decade. Progress has only occurred when it looked like the FTP
Team might be overruled.

See the detailed timeline below.

Q. We should wait unti after the release, so as not to disrupt it.

A. Release activities are independent of these changes to dak. Indeed
the FTP Team have been carrying out unrelated overhaul and QA work
on dak during this time.

Q. The FTP Team should be allowed to focus on processing NEW.

A. Only one FTP Team member ever processes NEW. That FTP Team member
is a hero, and is not involved in this disupute. Their work is
appreciated, and will not be interrupted.

The FTP Team member who is most strongly opposed to tag2upload, is
also the one who is tasked with the additional programming work
they say they want - and that team member has been participating
vigorously in the AI policy thread here on -vote.

Q. Wnat is a Temporary Delegation?

A. We are all used to delegations as ongoing and not time-limited, but
this is not their only purpose in our Constitution.

Just as an NMU is how we fix RC bugs or implement TC decisions when
the maintainer won't do it, time-limited delegations are the
equivalent mechanism the Constitution provides for similar
situations outside of the archive itself.

In this case what's needed is a simple change to dak.

Q. Didn't you come to a compromise agreement with ftpmaster last year?

A. We did. It was explicitly signed off by both sides, here:
https://browse.dgit.debian.org/dgit.git/commit/?id=e5512e874ddd755e2168b34d1b95f5f3ee487e71
https://lists.debian.org/debian-vote/2024/07/msg00024.html

That agreement involved us doing substantial additional work to
support additional checks by dak (that no other core team thought
worthwhile). It also envisaged ftpmaster making changes to dak, to
perform those additional checks.

We implemented our part. The FTP Team are dragging their heels on
their part. We should deploy tag2upload immediately, without those
extra parts. No other team in Debian thinks they're ncessary.

If the FTP Team still thinks they are necessary after tag2upload is
actually deployed, then they can do the necessary work on their own
time, later.

Recap for those who may not have been following things ------------------------------------------------------

tag2upload is a system for allowing every DD and DM to upload simply
by signing a git tag. It's had a thorough independent security review
by Russ Allbery. It has been blocked for 5 years by the FTP Team.

6 years ago

Prototype of tag2upload was demonstrated live in Curitiba,
We discussed tag2upload on debian-devel. The proposal was
unambiguousloy rejected by the FTP Team.

We spent the next few years trying to go via various DPLs
and other project grandees.

~1 year ago:

We sent a draft GR to -vote, suggesting overruling the FTP Team.

~11 months ago:

Only after our GR is formally proposed and seconded, the FTP Team
eventually offer a compromise, which we accept.

The FTP Team could have started their implementation work.

~4 months ago:

Our Delegation was instituted by the DPL (after consultation with
the FTP Team and others, of course).

7 weeks ago

We generated our production key and we asked for it to be installed.

We discovered that the FTP Team had done none of their
implementation work. They initially replied abusively, and with a
flat "no".

At this point tag2upload could have been operational right away
without their extra work, with something this three line patch:
https://salsa.debian.org/iwj/dak/-/commits/t2u-minimal

Eventually the FTP Team gave us a date by which the key would be
installed.

5 weeks ago

The completion date promised by FTP Team passes without them having
written a single line of code.

We once again post a draft GR. After a bit of debate, they start on
the implementation work for their extra checks.

1.5 weeks ago:

Last we heard from the FTP team, here on -vote. Interpreted
charitably, that was a holding reply.

Our pings have gone unanswered.
We have still heard absolutely nothing on a technical level.

--
Ian Jackson <[email protected]> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--
https://fam-tille.de

--
https://fam-tille.de

--
Ian Jackson <[email protected]> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Jonathan Carter writes ("Re: tag2upload - request for DPL action"):

This is all very nice, but could you please consider rather
communicating on the BTS rather than use -vote for making progress on
T2A issues?

Yes. I agree that using -vote for technical stuff isn't great.

I felt that given the situation, we ought to explicitly state where
we're at. Hence my last mail. If we have further technical issues,
we can certainly use the BTS, which it seems would be the normal
approach.

I'm guessing we should file any bugs using the ftp.debian.org
psuedopackage. So we'll do that unless we hear from the FTP Team that
they want us to do something different (eg Salsa tickets).

Ian.

--
Ian Jackson <[email protected]> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)