Daniel Gröber writes ("Re: [RFC] General Resolution to deploy tag2upload"):
> Hi Ansgar,
>
> On Fri, Jun 14, 2024 at 10:39:11PM +0200, Ansgar 🙀 wrote:
> > ...
>
> Could you please expand on this and/or provide references? I have no idea
> what you're even talking about here.
FTR, I have no idea either. Ansgar's assertions in this subthread
seem quite wild and incomprehensible.
> > I doubt any more involved patches to fix security issues would be
> > applied. So I decided to not waste my time on that (but I checked
> > briefly and it at a quick glance it looks like issues from ~5 years ago
> > are still not resolved) and not stand in the way to create another
> > stalemate in case someone wants to fix them.
>
> Glances can be deceiving. From what I've seen from dgit bugs Ian just likes
> to keep bugs open for discussion. I see no problem if thats what you're
> seeing.
>
> What bugs are you looking at? Please be more concrete.
dgit has many open tickets in the Debian BTS, it's true.
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dgit
It's existed for 11 years and is a complicated piece of software.
Perhaps we should stop using dpkg? It has ~5x as many open tickets!
Personally I like to keep a bug open whenever it represents an
opportunity for improvement to the software - or, even, as
documentation, when it probably doesn't. For example,
#726953 dgit fails with submodules
is not very likely to ever be closed, and I think git submodules
could never work with tag2upload. (Ob. note:
never use git submoudles! https://diziet.dreamwidth.org/14666.html.)
And, even quite important bugs can remain unsolved for a long time, if
they depend on changes elsewhere. That's true of many of Important
tickets. For example I had a conversation with some folks abut
#829526 No TOFU for git server host key
(sadly in RT, I think, so not public) and it's quite nontrivial.
As another example,
#932558 git-debpush service is not deployed
has been blocked for four years, despite formal appeals to several
DPLs and informal requests for help to several ex-DPLs and TC members;
it might be unblocked by a GR, soon.
None of the open tickets are IMO criticial to tag2upload, other than
#1069001 tag2upload: [dgit ...] should include source= and version= fields
which is a work item arising from Russ's security review.
(The design is updated; that bug represents the fact that the code has
not yet been improved.) And I would very much like to address
#1073157 [dgit-infrastructure] access control system
should have emergency fingerprint blocklist
which arose from this thread.
If you look at
https://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=1;src=dgit
https://tracker.debian.org/pkg/dgit
you can see that stagnation is not what's happening here.
Of course, like any project in Debian, if people would like to help
work on dgit and tag2upload to improve things, that'd be very welcome.
But, yes, we are asking the project to approve the system basically as
it is now.
Ian.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
