Hello, On Tue 23 Dec 2025 at 01:31pm +01, Lucas Nussbaum wrote:
>> Policy explicitly says that these fields must not be added except for
>> uploads processed by tag2upload. So a patch like this should not be
>> installed.
>
> What is the rationale for this?
I should have spoken more precisely.
This is what it says for each field:
Uploads not generated in accordance with the tag2upload protocol
must not include this field.
The tag2upload protocol means what's documented in tag2upload(5).
Inclusion of the fields is a statement that that protocol was followed
for the upload. So, inclusion of the fields implies that the upload was
initiated by means of an uploader-signed tag with certain metadata, and
an automatic auditing program could trace the upload back to that tag.
If we add the fields for any other uploads then an automatic auditing
process like that probably wouldn't be feasible.
[CCing Ian -- for context see #1123842.]
--
Sean Whitton
signature.asc
Description: PGP signature
