Hi. I am consulting on the name and syntax of a new field I intend to put in .dsc's.
This is for our tag-to-upload service[1], as described here: https://spwhitton.name/blog/entry/tag2upload/ The tag2upload service will take a signed git tag, and verify it against the Debian keyrings and dm.txt. It then turns that into a source package which it signs with its own key. That means the original "uploader" information (ie the identity of the person signing the git tag) is not any more present in the source package. To rememdy that I propose the following new field: Git-Tag-Info: FINGERPRINT Firstname Surname <email@address> The parsing rules are: the first word is the fingerprint entirely in hex. The rest is from the tag's "tagger" line (and may not match). Consumers which want to know which OpenPGP key ws used should use FINGERPRINT. Consumers which want to send email should use the RHS. This syntax does not contain the signature date, nor the tag message, nor any OpenPGP cert name. An OpenPGP cert name would be a pain to provide in a securely meaningful way. The tag/signature date is not that important I think (and might be annoying to extract from gpgv). I think consumers won't need that information. It also eldides some tag2upload-specific metadata, info about git branch formats, and so on, but I think a .dsc consumer does not need that. Comments welcome. If you are likely to have an opinion, please reply as soon as you can, since I hope to do the engineering work to make this thing production-ready as soon as the relevant design reviews etc. are done. If it will take you more than a few days to comment, please reply right away with a holding mail saying when you hope to find the time to write a substantive reply. Thanks, Ian. [1] The service is still a prototype, but will hopefully be deployed soon, after some review, privsep work, integration discussions, etc.
