Am 17.06.2024 00:48 schrieb Marco d'Itri <m...@linux.it>:
jo...@debian.org wrote:
>We want dak (and anyone else) to be able to say "Yes, DD/DM $x has
>signed off this content". That only works, if dak (and later, the
>public, if they want to check too) have the signature for this in a way
>they can verify it. And not just a line somewhere "Sure, $service
>checked this for you, trust us, please".
Yes, you have been very clear from the start that this is what you want.
But I do not think that I have seen an actual explanation of /why/ you
want that.
It's kind of in the mail you partially quoted IMHO:
1) because it is the job of FTPmaster to authenticate and authorize the uploader (and Joerg sees that as "human uploader", which I somewhat agree with)
2) because Joerg wants third parties to be able to verify the signature of the human uploader without the need for Debian specific tools.
There is another aspect he mentioned: he thinks the uploader needs to test the build of the package. (I'm theory I agree, but there are situations where I test the software but not necessarily re-test the package, especially if I didn't touch the packaging itself but only the software inside.)
Kind regards,
Sven
