On Sat, Apr 05, 2025 at 12:07:42PM +0100, Ian Jackson wrote:
Further to mailing list discussions, please would you add the tag2upload Oracle key to the debian-keyring package. As discussed on-list, this key will be signing normalised git tags and source packages, and it should therefore be properly public and discoverable. I think this should be in a separate keyring, debian-tag2upload.gpg, because automated systems need to use it for verification. Having it as a separate keyring, rather than treating it as a role key, means not having to add additional access control / key identification machinery to those systems. I have prepared a git branch containing what I think are the necessary changes to the debian-keyring source: https://salsa.debian.org/iwj/debian-keyring/-/tree/t2u?ref_type=heads git revision 8147605fb502ee458f861d9789df892771fb44b8 Management of the key is currently shared between the tag2upload team and DSA. I created the key on the hardware token, so no human has ever had access to the key material. The key bears my signature. I hope this is a convenient way to convey this request.
It's not clear to me why this key should fall under the remit of the keyring team. Is it substantially different to a buildd key, which we also take no involvement with? It seems like it's managed by DSA/tag2upload and only consumed by ftp-master, so adding in keyring-maint seems like unnecessary overhead?
(Compare, for example, the general requirement for DDs/DMs to be able to replace their keys easily for all project use.)
J. -- ] https://www.earth.li/~noodles/ [] No program done by a hacker will [ ] PGP/GPG Key @ the.earth.li [] work unless he is on the system. [ ] via keyserver, web or email. [] [ ] RSA: 4096/0x94FA372B2DA8B985 [] [
