Hi Charles, On Sun, Oct 16, 2022 at 01:06:23PM +0900, Charles Plessy wrote: > Le Wed, Oct 12, 2022 at 12:14:35AM +0000, Scott Kitterman a écrit : > > > > What fraction of security issues we've had in Debian do you think > > narrower upload permissions would have prevented? > > Exactly zero. But my comment is not about the past, it is about the > future. > > I think that a proper risk assessment would be worth doing, an I also > think that this mailing list is not a proper place for doing it, not > because of secrecy but because of noise and lack of focus. Discussing > the conclusions here would of course be important. IMHO the "risk assessment" for most DDs is already done via NM process. Usually people are mindful of when they upload, and do ask others for opinions when they do NMU's. Risk assessment might as well be a slippery slope, as it would allow some DDs over others to upload things which will create extra friction. > On my side, I would be fine if my upload key would be restricted to the > packages that me and my packaging team maintain. I am very unlikely to > need archive-wide privileges in the near future. I can understand. However that is not true for a lot of DDs (including me). Many people do need archive-wide previledges. Tobias gave a rather crisp reason in their mail. > Have a nice Sunday, You too! -- Best, Nilesh
Attachment:
signature.asc
Description: PGP signature