On Tue, Dec 23, 2025 at 01:03:13PM +0000, Sean Whitton wrote: > On Tue 23 Dec 2025 at 01:31pm +01, Lucas Nussbaum wrote: > > >> Policy explicitly says that these fields must not be added except for > >> uploads processed by tag2upload. So a patch like this should not be > >> installed. > > > > What is the rationale for this? > > I should have spoken more precisely. > This is what it says for each field: > > Uploads not generated in accordance with the tag2upload protocol > must not include this field. > > The tag2upload protocol means what's documented in tag2upload(5). > > Inclusion of the fields is a statement that that protocol was followed > for the upload. So, inclusion of the fields implies that the upload was > initiated by means of an uploader-signed tag with certain metadata, and > an automatic auditing program could trace the upload back to that tag. > If we add the fields for any other uploads then an automatic auditing > process like that probably wouldn't be feasible.
While this makes sense to me, I'll say the field should then never have been called the way it is called now. Given its tag2upload-specific, it should have "tag2upload" somewhere in the name. Best, Chris
