Scott Kitterman <deb...@kitterman.com> writes: > I agree that this isn't a major design issue, but I think it is > something that I think needs to be addressed before deployment of > tag2upload. The need is certainly rare, but when it's needed, it's > needed because it's important.
I don't understand why this would be a blocker given that dak can redo the authorization check at the same point that it does authorization checks now, should it so desire. This does require a small change to dak to retrieve the key fingerprint from the source package in the case where the source package is signed with the tag2upload key, but that doesn't seem too difficult. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
