Hi Andrea, Have you had a chance to look at the following?
On Mon 28 Jul 2025 at 08:19pm +01, Ian Jackson wrote: > Something like > > Names a commit containing pristine-tar metadata. > > The commit must contain SOMETHING LIKE exactly one .id file with > SOME PROPERTIES OR OTHER. The .id file MUST SATISFY SOME > CONDITIONS THAT I DON'T UNDERSTAND. > > The tag must also contain an C<upstream> item, and the tree named in > the .id file must be identical to that of the C<upstream> commit. > > The pristine-tar commit may contain SOMEHOW IDENTIFIABLE signature > file. The signature file MUST SATISFY REASONAB.E CONDITIONS SUCH AS > ITS FILENAME BEING SANE. The signature file will then be published > together with the orig tarball. The signature file is treated as > pure data by the service (so will not be verified or even format > checked). > > If an orig tarball needs to be (re)generated, the service will use > pristine-tar, using precixely the metadata in the .id file. The > service will check that the generated tarball MATCHES THE HASH IN > THE .ID FILE and that its contained tree is identical to SOMETHING. > > The named prstine-tar commit must be reachable from the > C<pristine-tar> branch in the repository. > > Ian. -- Sean Whitton
signature.asc
Description: PGP signature
