On Tuesday, August 27, 2019 8:04:06 PM EDT Russ Allbery wrote: > Scott Kitterman <deb...@kitterman.com> writes: > > As an example, I recall concerns about there not being an uploader > > signature on the source anymore, so we would lose the ability to verify > > from the archive who was responsible for the upload. > > Does anyone do this? Does it work today? > > I'm dubious that you would be able to successfully verify all of the > archive from *.dsc signatures now. Maybe you would be able to verify the > pieces that are the most important to you, though? > > I think this requirement is a bit incomplete, in that I don't understand > the use case that would lead you to want to do this. It's more of a > description of an implementation strategy than a use case, which makes it > hard to find other ways of accomplishing the same use case.
I sometimes use who-uploads from devscripts when I want to find out who actually did an upload. In theory, it could be re-written to support whatever. I also check that the signature validates when I download a package from the archive. I like the fact that this signature connects to a developer key in the keyring. That said, I'm not the one who suggested losing this would be a problem in the previous thread, so I can't say what they were thinking. I just don't think the threat assessment is a serious response to what people were suggesting. It would be a mistake to assume silence is concurrence. I may be wrong, but I think Ian's made up his mind what he wants to do, so there's not a lot of point in convincing him otherwise. Scott K