Charles Plessy <ple...@debian.org> writes: > if creating a source package is fast and reproducible, could the dgit > user commit the signed .dsc file somewhere, and the dgit infrastructure > use it and throw an error if the hash sums do not match ?
A difficulty with using the .dsc file as a signed artifact if you want to base the upload on a Git repository is that a .dsc file points to compressed tarballs, which means now you have to solve the problem of recreating a compressed tarball from a Git repository in a byte-for-byte identical way. Past experience with pristine-tar says that this is more fragile than we would like, and is prone to trouble if there are differing versions of tar or the compression utility in play. Admittedly, the tag2upload problem is much easier than the pristine-tar problem because we're not trying to cope with arbitrary upstream tar creation, but I suspect the ongoing maintenance burden (and random failure rate) would be higher than the current proposal. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>