We've had some discussion of some of these issues already, but let me summarise:
Most current workflows for Debian packaging with git involve a git repository somewhere, and in practice it is very impractical not to trust the contents of (at least some branches in) that repository. Currently AFAIAA most people are using ad-hoc repositories on private servers, or something on alioth. And most people are not using any kind of signature scheme. This is far from ideal. I think we should switch to using GPG-signed pushes. (This is better than GPG-signed tags because tags don't really specify what branches to update, unless you impose special syntax on them - thus reinventing signed pushes. It is better than GPG-signed commits because it works better with history rewriting, makes clearer what is actually being intentionally done by the signer, and exposes and uses your key at only the right point in the process.) For this we need a git server which supports GPG-signed pushes, and (at least) all authorised pushers to be using a suitable verson of git. I guess the rule would be that a DD is allowed to create, delete and rename and update branches on any package's repo, and that a DM may only access repos for `their' packages (and perhaps may only update ff - TBD). The new dgit git repos VM is IMO an appropriate place to host this. The dgit magic git server already knows how to decide whether a particular key is authorised for a particular package and has many of the necessary moving parts. The only significant problem is that the relevant versions of git are currently only in experimental. Can we expect these (a) to be in sid soon and (b) usefully stable backports to be available for (at least) jessie ? (CCing git@p.d.o.) I'll also have to talk to DSA about what they think about running a backport of git. Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/21921.20783.583098.549...@chiark.greenend.org.uk
