Ansgar ๐ <ans...@43-1.org> writes: > On Fri, 2024-06-14 at 11:45 -0700, Russ Allbery wrote:
>> Sorry, I don't understand.ย What isn't complete?ย I just explained how >> dak could continue to enforce all the same authorization checks as it >> does today.ย This is part of the design as proposed.ย The key >> fingerprint of the original tag signer is present in the Git-Tag-Info >> header in the *.dsc file as uploaded to dak. > This would require the check to be implemented correctly in tag2upload. > Otherwise whatever check dak performs is fairly useless. It requires that the signature on the Git tag be correctly checked and that fingerprint be put into the *.dsc file, yes. It doesn't require that dak then also trust the authorization checks. > We would also have a new critical system written and maintained by 1.2 > people in a fairly old-style Perl dialect that have previously not kept > up with promises to maintain software stacks (e.g., systemd-shim which > then had to be replaced by other people with something else). Yes, the tag2upload developers implemented the service the way that they implemented it, and the proposed GR would say that they can deploy that implementation. Asking them to redo that work in a different programming language or with a substantially different architecture before it can be deployed is not, at this point, a reasonable request, even apart from the general principle that Debian is a volunteer project and no one is required to do work. I think that some of the posts on this thread are exactly backwards in their understanding of human motivation. Blocking someone's work from being used until it's done the way that you would have done it yourself is not motivating, it's horribly demotivating. Seeing your work deployed live and actively used by Debian does not eliminate the motivation to make any further changes; rather, it increases the willingness to do further work drastically. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
