o do than we have resources to do. I
> want to use that energy as wisely as possible. That means I
> *particularly* do not want that energy to go into doing things that humans
> are bad at and that probably won't be done well anyway. This means
> designing the whole upload system so that we can create mechanisms like
> reproducible binary builds, reproducible source builds, autopkgtests, and
> other ways to move the load onto computers and off of humans and save that
> precious human attention for the things that only humans can do.
--
Soren Stoutner
so...@debian.org
signature.asc
Description: This is a digitally signed message part.
m that is visible to the DD, but that thy either don’t review
or don’t recognize as being malicious, or 2) malicious code intentionally
inserted by the DD that they sign and upload with the intent of compromising
Debian.
--
Soren Stoutner
so...@debian.org
signature.asc
Description: This is a digitally signed message part.
On Tuesday, June 18, 2024 8:57:28 AM MST Aigars Mahinovs wrote:
> On Tue, 18 Jun 2024 at 17:44, Soren Stoutner wrote:
> > From a security perspective, it makes sense to me that the DD should
create
> > a
> > .dsc and .changes and sign them, and then tag2upload should cr
es the security posture of Debian by generating the source
package in tag2upload's controlled environment.
From my perspective, the extra work that needs to be done on the DD’s system
to create and sign the .dsc and .changes is worth the benefits in the previous
four paragraphs.
--
Soren Stoutne
covered.
--
Soren Stoutner
so...@debian.org
signature.asc
Description: This is a digitally signed message part.
ed. Having the *option* to do everything in Git
when that matches upstream or otherwise is desirable is a rational progression
in Debian’s architecture.
--
Soren Stoutner
so...@debian.org
signature.asc
Description: This is a digitally signed message part.
n, despite many attempts.
In order to make an informed decision, can you please explain in what way dak
is not able to "completely re-perform the verification of maintainer intent
done by the tag2upload service”?
Thanks.
--
Soren Stoutner
so...@debian.org
signature.asc
Description: This
insightful in helping me understand how Andreas would approach being the DPL,
thus informing my vote.
--
Soren Stoutner
so...@debian.org
signature.asc
Description: This is a digitally signed message part.
l? Having specific numbers is a helpful first step
in
addressing the problem.
--
Soren Stoutner
so...@debian.org
signature.asc
Description: This is a digitally signed message part.
I don’t think the DPL has to have all the answers going it. But I would hope
that Roberto’s excellent question and his consistency in noting that it hasn’t
yet been answered, would be helpful in directing the entire conversation
towards concrete things we can implement to improve the situation.
ecause
I do not find the tone of the message appropriate for a Debian mailing list).
--
Soren Stoutner
so...@debian.org
signature.asc
Description: This is a digitally signed message part.
patent laws, which can become controversial in some quarters, being something
where the
nexus is strong enough that it is appropriate to discuss them in Debian.
Unless it rises to /
that/ level, I don’t believe this is the right place for it to happen.
Soren
--
Soren Stoutner
so...@stoutn
MST Thomas Koch wrote:
> > Soren Stoutner hat am 15.03.2023 19:07 EET
> > geschrieben:
> >
> > I would be interested in hearing the details of what happened.
>
> There you go:
> https://blog.koch.ro/posts/2023-03-15-debian-exclusion.html
--
Soren Stoutner
be healed.
>
> All the best, Thomas Koch
--
Soren Stoutner
so...@stoutner.com
signature.asc
Description: This is a digitally signed message part.
14 matches
Mail list logo
