Thomas Goirand <z...@debian.org> writes: > I really would hate having 2 sets of uploading DDs. One with the > archive-wide privilege, and the one without. Then you'd need to ask for > that right, and potentially have to explain why you need it. This is a > terrible idea, with not enough justification (IMO).
This is probably my security brain from my day job, but I would prefer to be able to drop permissions that I'm not currently using, as long as I can get them back easily. It reduces the blast radius of mistakes and compromises. I think we're arriving, from different directions, at the importance of "get them back easily." But I think there's some merit for being able to restrict and expand your own permissions even if it is entirely automated via, say, a signed email to a control address. Those sorts of speedbumps in the way of mistakes or compromise are sometimes unappreciated on the grounds that an attacker can just expand their permissions after a compromise, but from a security standpoint there is *some* value in each additional thing the attacker has to figure out how to do and each additional detectable interaction they have with the system, as long as it doesn't add pain for the legitimate user. That might be a useful reframing of the idea: let those of us who would like to (possibly temporarily) voluntarily restrict the scope of our upload access have a way to do that, without implying that people who want archive-wide upload rights need to change anything. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
