make db.torproject.org a real debian archive
I often have trouble uploading packages following our procedure here:
https://help.torproject.org/tsa/howto/build_and_upload_debs/#Uploading_admin_packages
For example, just now I have stumbled upon this:
Failed to upload userdir-ldap-cgi_0.3.43~x.tpo.8.dsc to anarcat@alberti.torproject.org:/srv/db.torproject.org/ftp-archive/archive/pool/tpo-all/userdir-ldap-cgi_0.3.43~x.tpo.8.dsc: scp: /srv/db.torproject.org/ftp-archive/archive/pool/tpo-all/userdir-ldap-cgi_0.3.43~x.tpo.8.dsc: Permission denied
That was because there was already a .8.dsc
file from a previous ("UNRELEASED") upload. (I feel it was a mistake to upload such a package in the first place, but that's besides the point: this is only one of many ways this procedure can fail on upload.)
The archive also manually handles OpenPGP certifications and rotations, which is sub-optimal, to say the least, from a security perspective.
Instead, we should use well-known software like reprepro or else to manage the repository, with a proper "incoming" queue.