Re: [RFC] General Resolution to deploy tag2upload

[Scott Kitterman]

On June 16, 2024 4:38:03 AM UTC, Sean Whitton <spwhit...@spwhitton.name> wrote:
>Hello,
>
>On Fri 14 Jun 2024 at 06:06pm GMT, Scott Kitterman wrote:
>
>>
>> I'm a bit confused by the claim that no infrastructure changes are needed for
>> this to go forward.
>>
>> If I have been following the proposal correctly, source packages will be
>> signed by tag2upload and not the uploader.  Doesn't that mean changes are
>> going to be needed so that we know in the archive who uploaded the package?
>>
>
>Ah, do you mean how tracker.d.o shows (signed by: f...@bar.org) for a
>sponsored upload?
>
That's one place it shows up.

Today I can download any source package in the archive and verify who uploaded 
the package and is responsible for its contents.  It doesn't matter if I 
download it from the main archive or a mirror.  Personally, I think that's an 
important characteristic of our package archive, which is lost by tag2upload.

Scott K