Sometimes we are lucky and upstream uses signed git tags. That still does not
help us to verify the orig.tar.gz. It can however still be very useful.
If we store some git objects in debian/upstream/.../ than we can at least
verify those files that are the same in the tarball and in the tagged git
commit.
We need to store the git tag, git commit and all tree objects from the tagged
commit. Then we have trusted sha1 signatures of all files from the tagged git
commit. The tarball might contain additional files, e.g. compiled stuff or
configure files, but we don't want to rely on those anyways.
Maybe this file structure?
debian/upstream/git
objects // flat structure, unlike gits two level structure
5f19d6d7380dc9416f5f852e8b3a9c06f239cb93 // plain, no zlib compression
refs
tags
1.0.3 // same as in git
Objects are not compressed since they end up in a tar.gz anyways. The objects
store does not contain any blobs, only tree, commit and tag objects.
Somebody wants to write the necessary tools (in haskell...)?
Thomas Koch
