On Sunday, June 30, 2024 1:45:15 PM EDT Aigars Mahinovs wrote: > On Sun, 30 Jun 2024 at 19:28, Russ Allbery <r...@debian.org> wrote: > > Aigars Mahinovs <aigar...@gmail.com> writes: > > > Correct me if I'm wrong, but I believe the intention is to have two > > > technically redundant data points saved into the archive: > > > > > > 1) checksums of the contents of the shallow copy git tree in the > > > maintainer work folder (signed by the maintainer) > > > 2) contents of the shallow copy git tree in the t2u server work folder > > > (signed by t2u) > > > > Oh! Did I misunderstand Joerg's second point entirely? By "the tag that > > t2u wants to upload," I assumed that meant the tag the uploader signed or, > > in other words, the state of the tree *before* t2u started doing its work > > that has the uploader signature attached. > > I do not see that in either what me or Joerg wrote. And I also don't > see much sense in that. > > In contrast, having a tarball of the git state *before* t2u starts its > work would provide a tarball that *can* be verified against the > checksums from the first file. That will give you a clear data point - > t2u started its work with the exactly the same workspace as the > maintainer signed. And will provide a frozen copy of that starting > workspace in the archive independent of the (more complex) dgit > service.
It's one at the point the maintainer signed the tag. Scott K
signature.asc
Description: This is a digitally signed message part.