launchpad-dev team mailing list archive

[Christian Robottom Reis <kiko@xxxxxxxxxxxxx>]

On Wed, Oct 07, 2009 at 11:11:14AM +0100, James Westby wrote:
> > This is problematic in quite a few regards and we planned to switch over
> > to an authenticated (ssh based?) upload mechanism since July of last
> > year.
> 
> That's interesting, because...
> 
> > This would make it possible to upload unsigned packages
> 
> That changes the security assurances that we have for packages, you
> are now relying on SSH keys rather than GPG keys. Are they believed
> to give us the same assurances?

I don't know the answer to that, but I want to underline that changing
the GPG requirement is a /possibility/ of allowing SSH uploads. We could
also allow people to use SSH but still require GPG-signed packages and
rock the boat slightly less during that change. Doing that may require
comparing SSH and GPG keys to verify the owners match, but it's an easy
step forward.

> Is this change driven by concerns over the current process for binary uploads
> from the buildds?

Well, one driver of it is being able to provide synchronous
authentication feedback to the uploader; today anonymous FTP means fire
and forget and if we can't validate the GPG key, we can't send email
back to the uploader (we don't know who he is!) and that leads to
support issues of the sort "where's my upload". Other sorts of more
synchronous feedback would be possible in this model.
-- 
Christian Robottom Reis | [+55 16] 3376 0125 | http://launchpad.net/~kiko
                        | [+55 16] 9112 6430 | http://async.com.br/~kiko