Sean Whitton writes: > Ian and I implemented something along these lines last summer and it's > available to try from the archive; here is how: > <https://spwhitton.name/blog/entry/tag2upload/> > > As to the current status: FTP Team members objected to having > uploader-signed git tags on dgit.debian.org be the canonical record of > an uploader's intended source package (rather than uploader-signed .dsc > files stored on other servers), and they objected to the ways in which > the system relies on git SHA1 hashes. > > I still believe that the design is sound and deploying the system can > and should go ahead, but we could not overcome the disagreement.
There are also other issues such as the system seeming to accepting uploads from known-compromised keys last I looked at it, though maybe security experts disagree how much of an issue this is in practice. Ansgar
