Your message dated Thu, 24 Jan 2019 15:12:06 +0100
with message-id <[email protected]>
and subject line Re: Bug#840104: Encrypted uploads to the security archive
has caused the Debian Bug report #840104,
regarding Encrypted uploads to the security archive
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
840104: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840104
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ftp.debian.org,security.debian.org
It's been a longstanding problem that the uploads to the security
archive are not encrypted in any way. I think this is a problem
for all embargoed uploads that we are doing.
Upstream might actually do all that's possible to keep the
security issues secret. But it can potentionally leak when it gets
uploaded to the security archive. As far as I know only ftp is
currently supported.
I can think of several ways of doing this, but you probably want
to talk to DSA about some of those options. They include:
- Allow uploads over ssh / sftp. This could be anonymous, or give
access to the same user with all the ssh keys or something.
- Use ftps (ftp over ssl), but I'm not sure how good that is
supported.
- Encrypt the thing that is uploaded, then still use ftp.
We'd probably need a tool like debsign that puts it right
format.
- Some upload mechanism over https
Kurt
--- End Message ---
--- Begin Message ---
> I have found a way to force rsync permissions to 0640. I have applied
> that to the wrapper script. Following that I have switched the upload
> queue on the build daemons to the SSH one.
>
> I guess this basically solves this bug.
As nobody reported problems, I'll close the bug then.
Ansgar
--- End Message ---
