Hi Joerg, On Mon, Jun 17, 2024 at 12:04:20AM +0200, Joerg Jaspert wrote: > Also, currently we have the nicety that we store all signatures directly > besides the source package, available for everyone to go and check. > Linking back to the actual Uploader, not to a random service key. You > can take that, run a gpgv on it and via the checksums of the files then > see that, sure, this is the code that the maintainer took and uploaded. > You do *not* need to trust any other random key on that. Not that of > tag2upload. *AND* not that of FTPMaster. > > [...] > > We want dak (and anyone else) to be able to say "Yes, DD/DM $x has > signed off this content". That only works, if dak (and later, the > public, if they want to check too) have the signature for this in a way > they can verify it. And not just a line somewhere "Sure, $service > checked this for you, trust us, please".
Idea: assuming we had support for (something like) source-format [3.0 (git)] in dak, tag2upload could generate a dsc in that [format], which could then include the maintainer's signed tag in the bundle. [format]: For those who don't know, essentially just a shallow git-bundle. [3.0 (git)]: https://wiki.debian.org/GitSrc That way everything is in the archive, assuming verifying git tags works on shallow clones and the conversion to a different source format doesn't present a problem for t2u. In my mind the dsc itself would still be signed by the t2u service key here but the original maintainer's signature is right there inside that dsc for anyone to verify. I keep coming back to the idea of working on 3.0 (git) but the thought of the ideas behind it having been (maybe?) rejected by ftp-master already is keeping me from even trying. I never could figure out why exactly it didn't go forward though? It's even in [dpkg-source] already so what happened there? [dpkg-source]: https://manpages.debian.org/unstable/dpkg-dev/dpkg-source.1.en.html#Format:_3.0_(git) --Daniel
signature.asc
Description: PGP signature
