Hello everyone,
This is a draft GR. I'm posting it now for textual review, because of
the relative shortness of our official discussion periods.
After some time for review, I'll post again seeking seconds.
The first sections are an introductory discussion. For the actual GR
text, scroll down t
On Tue, 11 Jun 2024 at 23:25, Sean Whitton wrote:
>
> Hello everyone,
>
> This is a draft GR. I'm posting it now for textual review, because of
> the relative shortness of our official discussion periods.
>
> After some time for review, I'll post again seeking seconds.
>
> The first sections are
Sean,
Thanks for taking the time to put this together.
On Tuesday, June 11, 2024 3:25:02 PM MST Sean Whitton wrote:
> ftpmaster stated a hard requirement that dak has to be able to
> completely re-perform the verification of maintainer intent done by the
> tag2upload service. That goal cannot be
Luca Boccassi writes:
> And on the implementation details, I really do not like the idea of
> having a competing git forge with Salsa. This dgit server seems to just
> be a ye olde git-web interface.
Does it support gitweb? I thought it only supported regular Git
operations, but I could be mist
Hi all,
Below is the security review that I did of the tag2upload design.
I am not a neutral party, in the sense that I think tag2upload is a good
idea and should be deployed. However, I do these types of security
reviews professionally, and I tried to approach this review the same way
that I wo
Soren Stoutner writes:
> On Tuesday, June 11, 2024 3:25:02 PM MST Sean Whitton wrote:
>> ftpmaster stated a hard requirement that dak has to be able to
>> completely re-perform the verification of maintainer intent done by the
>> tag2upload service. That goal cannot be met without fatally
>> und
Hello,
On Tue 11 Jun 2024 at 05:24pm -07, Soren Stoutner wrote:
> Sean,
>
> Thanks for taking the time to put this together.
>
> On Tuesday, June 11, 2024 3:25:02 PM MST Sean Whitton wrote:
>> ftpmaster stated a hard requirement that dak has to be able to
>> completely re-perform the verification
Hello,
On Wed 12 Jun 2024 at 09:44am +08, Sean Whitton wrote:
> The short answer is that the input to dak is a source package, not a git
> tag. And it's the latter that is signed by the maintainer, under
> tag2upload.
>
> A longer answer is that for dak to do that, it would need to reimplement
>
Hi,
On Wed, 2024-06-12 at 06:25 +0800, Sean Whitton wrote:
> As tag2upload is security-sensitive, the design has had careful,
> independent security review from Russ Allbery and Jonathan McDowell,
As I said several times before: the implementation has known security
bugs (unless you fixed them).
Ansgar 🙀 writes:
> As I said several times before: the implementation has known security
> bugs (unless you fixed them). But I guess this is going to get ignored
> again anyway...
Could you describe what known security vulnerabilities you believe exist,
particularly if they are things that aren'
10 matches
Mail list logo
