Debian General Resolution Hopes To Move Useful "tag2upload" Forward
A Debian General Resolution was called following a lengthy and contentious period among Debian stakeholders on moving forward tag2upload, a system that lets Debian developers and maintainers more easily carry out source-only uploads by using a signed Git tag.
Tag2upload aims to make it easier for Debian developers and maintainers to carry out source-only uploads using a signed Git tag. Tag2upload should make it quicker and easier for source-only uploads and those in favor of it argue that it improves traceability and auditability of uploads. A security review of tag2upload was previously conducted and its design considered complete along with a fully-working prototype, but Debian FTP masters have refused to trust uploads from it. Thus the Debian General Resolution (GR) has been brewing to override the dissent.
The Debian "ftpmaster" team wants the tag2upload Git tags to contain a manifest of all files in the .dsc file but that can't be easily done due to punting more of the source package uploading work to the remote project infrastructure.
If approved, within months the hope is that tag2upload would be capable of handling "most of our day-to-day source-only uploads."
And thus the general resolution is now underway for Debian stakeholders to consider. The hope of the general resolution is:
The discussion period began last week and lasts for a minimum of two weeks. After that it's onto voting by Debian developers for the following two weeks.
Update: The GR has been withdrawn.
Tag2upload aims to make it easier for Debian developers and maintainers to carry out source-only uploads using a signed Git tag. Tag2upload should make it quicker and easier for source-only uploads and those in favor of it argue that it improves traceability and auditability of uploads. A security review of tag2upload was previously conducted and its design considered complete along with a fully-working prototype, but Debian FTP masters have refused to trust uploads from it. Thus the Debian General Resolution (GR) has been brewing to override the dissent.
The Debian "ftpmaster" team wants the tag2upload Git tags to contain a manifest of all files in the .dsc file but that can't be easily done due to punting more of the source package uploading work to the remote project infrastructure.
If approved, within months the hope is that tag2upload would be capable of handling "most of our day-to-day source-only uploads."
And thus the general resolution is now underway for Debian stakeholders to consider. The hope of the general resolution is:
tag2upload allows DDs and DMs to upload simply by using the git-debpush(1) script to push a signed git tag.
tag2upload, in the form designed and implemented by Sean Whitton and Ian Jackson, and design reviewed by Jonathan McDowell and Russ Allbery, should be deployed to official Debian infrastructure.
Under Constitution §4.1(3), we overrule the ftpmaster delegate's decision: the Debian Archive should be configured to accept and trust uploads from the tag2upload service.
Future changes to tag2upload should follow normal Debian processes.
Nothing in this resolution should be taken as requiring maintainers to use any particular git or salsa workflows.
The discussion period began last week and lasts for a minimum of two weeks. After that it's onto voting by Debian developers for the following two weeks.
Update: The GR has been withdrawn.
9 Comments