On Jun 15, Russ Allbery <r...@debian.org> wrote: > The serialization isn't the problem, constructing the source package is. > Once you have a source package, there are lots of things you can do, but > the problem is precisely that going from a Git tree to a source package is > non-trivial and involves a whole bunch of Debian-specific code. Yes, I understand this. But I think that the goal can be much simpler: just allowing dak to verify that the content (i.e. the files) of the source package it received is the same that the uploader's PGP key has signed on their own system. Then the actual source package can be reconstructed by dgit for the archive as planned.
> > I am thinking about hashing something like a sorted list of (file name, > > file hash) tuples. > I was trying to figure out while I was walking today whether that would be > all you need, and I'm not sure it is. I couldn't convince myself that you > could ignore file permissions, symlinks, hard links, and so forth. Maybe, but it should not be hard to add this kind of metadata. -- ciao, Marco
signature.asc
Description: PGP signature
