Hello, On Tue 11 Jun 2024 at 05:24pm -07, Soren Stoutner wrote:
> Sean, > > Thanks for taking the time to put this together. > > On Tuesday, June 11, 2024 3:25:02 PM MST Sean Whitton wrote: >> ftpmaster stated a hard requirement that dak has to be able to >> completely re-perform the verification of maintainer intent done by the >> tag2upload service. That goal cannot be met without fatally undermining >> the tag2upload design and user experience. >> >> Russ Allbery, and others, tried very hard to get ftpmaster to explain >> why this should be a requirement, but we never got an answer that we >> could understand as a strong technical objection, despite many attempts. > > In order to make an informed decision, can you please explain in what way dak > is not able to "completely re-perform the verification of maintainer intent > done by the tag2upload serviceโ? The short answer is that the input to dak is a source package, not a git tag. And it's the latter that is signed by the maintainer, under tag2upload. A longer answer is that for dak to do that, it would need to reimplement all of tag2upload. As you will see from the design docs, we have carefully sandboxed the various stages of tag2upload's processing, for security isolation. It wouldn't make sense to implement all that again on dak. And indeed, the git-to-source-package processing should not happen on the same host where we have the master archive signing keys. Thanks for the query! -- Sean Whitton