On 24.06.24 23:20, tho...@goirand.fr wrote:
I see it as signing the very thing that is pushed to the Debian archive. You aren't uploading a bunch of git SHA to the archive but a source package. It feels very normal that therefor, that is the thing that we would like you to sign. Too bad this is less convenient for your workflow, but that is the correct semantic.
Well, yes. Right now this is the case, and t2u adds an additional step to that equation which historically we didn't have.
However …(a) the thing I'm signing isn't the thing I worked on. I didn't look at it and, given a git-centric work flow, nobody else will either. It feels very unnormal to me that I'm signing some artifact that I didn't even look at. Heck it felt unnormal to me 20 years ago when I joined and built my first packages.
(b) we might decide, sometime in the future, that sources.dgit.d.o is to be treated as part of "the Debian archive" and that our builders shall pull from there instead of unpacking a tarball if the maintainer used t2u, thus effectively removing your objection.
-- -- mit freundlichen Grüßen -- -- Matthias Urlichs
OpenPGP_signature.asc
Description: OpenPGP digital signature
