On 01.07.19 15:09, Andrey Rahmatullin wrote: > On Mon, Jul 01, 2019 at 03:04:26PM +0200, Enrico Weigelt, metux IT consult > wrote: >> On 29.05.19 17:41, Andrey Rahmatullin wrote: >> >>>> Perhaps we should update policy to say that the .orig tarball may (or >>>> even "should") be generated from an upstream release tag where >>>> applicable. >>> This conflicts with shipping tarball signatures. >> >> Does that really need to be the upstream's tarballs ? > The idea is checking the sig that the upstream made, with the key the > upstream published.
Okay, but is that actually used (by somebody except the maintainers) ? >> If it's about validating the source integrity all along the path from >> from upstream to deb-src repo, we could do that by auditable process >> (eg. fully automatic, easily reproducable transformations) > Sounds very complicated. I don't think so, at least if we're considering the whole workflow. In the end, it's just a matter of trust-chains: * upstream should used signed tags - we can collect their pubkeys in some suitable place (what we should do anyway). * if upstream doesn't sign, the maintainer has to trust them blindly, or needs to verify the code anyways. we could use some half-automated process for verifying the diff between the upstream tarball and the scm repo (we could add our own signatures here) * finally the maintainer signs his final tree (the one that's used for actual building the final packages) I believe that 99% can be done automatically, with a little bit of tooling. -- Enrico Weigelt, metux IT consult Free software and Linux embedded engineering i...@metux.net -- +49-151-27565287