>>>>> "Ian" == Ian Jackson <ijack...@chiark.greenend.org.uk> writes:
Ian> Sam Hartman writes ("Re: tag2upload (git-debpush) service Ian> architecture - draft"): >> Sean Whitton <spwhit...@spwhitton.name> writes: > Okay, thanks. >> >> > I think that the Git-Tag-Info field solves this. With that > >> field available, anyone can do the following to perform an > >> equivalent verification: >> >> > 1. fetch the .dsc from the archive >> >> > 2. fetch, from dgit-repos, the tag given in the Git-Tag-Info > >> field of the .dsc >> >> This violates the "no external data" requirement above. Ian> This requirement can be met (as I mentioned before) by Ian> including the tag object data as a file in the upload (listed Ian> in .changes). The signature can be verified without any Ian> further data. A git bundle is not needed. What do you mean by tag object data? Can you outline how to get from the dsc to a verification of the tag signature without contacting the dgit server?