On 6/13/24 10:21, Sean Whitton wrote:
Hello,
On Thu 13 Jun 2024 at 08:23am +02, Thomas Goirand wrote:
One thing I really dislike, is having a single gpg key to upoload them all. I
very much preferred the design that Didier explained during Debconf Kosovo,
where the .changes signature is uploaded together with the tagged commit.
Your thoughts?
Cheers,
Thomas Goirand (zigo)
P.S: The thread is huge, I have no time to read it all, sorry if someone else
also raised the same concern.
I'm not sure about the characterisation that it's one key to upload them
all. tag2upload will be an official service, no less so than ftp-master
-- you could as well say that the current archive signing key is one key
to release them all.
This message from Ian argues against adding things like .changes files:
<https://lists.debian.org/debian-vote/2024/06/msg00031.html>.
Please excuse me if this does not address exactly Didier's design, with
which I am not familiar.
Please read his lightning talk "debconf22-94-lightning-talks.webm".
Here's the first to talk in the video:
https://meetings-archive.debian.net/pub/debian-meetings/2022/DebConf22/
What I found super nice with his design is that:
* there's no need to modify anything on the Debian infrastructure
* there's no need for a GR or a change of any Debian current policy.
* packages continue to be signed with your own DD key
Why can't we move to this route, with standardized tooling?
Cheers,
Thomas Goirand (zigo)
