On Wed, 12 Jun 2024 at 17:46, Russ Allbery <r...@debian.org> wrote: > > Luca Boccassi <bl...@debian.org> writes: > > > As per the security review just shared, admin access to Salsa allows > > to push commits anyway which would get uploaded just the same, > > I'm not sure that I understand what you're saying here, but if I did > understand this correctly, no, this is not correct. My security review > says the exact opposite of this: admin access to Salsa does not allow you > to bypass the tag2upload checks or upload a source package.
Probably "push commits anyway" was a wrong oversimplification, what I was referring to was all the various "someone with admin access on Salsa" mentions on the document you shared.
