On Tue, Jun 25, 2024 at 08:55:56AM +0200, Matthias Urlichs wrote: > On 24.06.24 23:20, tho...@goirand.fr wrote: > > I see it as signing the very thing that is pushed to the Debian archive. > > You aren't uploading a bunch of git SHA to the archive but a source > > package. It feels very normal that therefor, that is the thing that we > > would like you to sign. Too bad this is less convenient for your > > workflow, but that is the correct semantic. > > Well, yes. Right now this is the case, and t2u adds an additional step to > that equation which historically we didn't have. > > However … > > (a) the thing I'm signing isn't the thing I worked on. I didn't look at it > and, given a git-centric work flow, nobody else will either. It feels very > unnormal to me that I'm signing some artifact that I didn't even look at. > Heck it felt unnormal to me 20 years ago when I joined and built my first > packages.
The unit of signing should remain close of the unit of distribution. It makes the signer aware of what exactly they are responsible for. I mean, that is in the current workflow, with the signer being the DD doing the last human verification. > > (b) we might decide, sometime in the future, that sources.dgit.d.o is to be > treated as part of "the Debian archive" and that our builders shall pull > from there instead of unpacking a tarball if the maintainer used t2u, thus > effectively removing your objection. In my view git will be replaced by the next vcs while Debian will still be distributing source packages to be finally signed by some human. Sure, git is useful today and it's worth giving it a prominent place in the workflows of today. I just think that the source code package that gets distributed should remain independent of any product like a vcs that happens to be hot today. > > -- > -- mit freundlichen Grüßen > -- > -- Matthias Urlichs > --
