Hello, On Sat 15 Jun 2024 at 07:12pm +02, Sven Mueller wrote:
> I'm currently a bystander. And while I reply to Joerg's mail, I'm not > directly referencing > any of the points in his mail, so no quotes. > > I'd like to point out though, that signing the content of the package is not > possible if the > developer should only need to do `git $something`. > > They would also need to generate the source package, as I don't see a > guarantee that > regenerating the source package from the same git tag (by t2u) would > necessarily result > in a bitwise identical source package. > > What would be possible would be (if dak has sufficient network access) to > check the > signed git tag that t2u used and re-check the signature on that. The problem > remains > that this only verified that the tag was set, not that t2u actually used the > code that tag > points to. That would again require trust in t2u or reproducible source > package builds > (and for dak to rebuild from the git repo). > > In essence: I don't see how to fulfill the mentioned requirements by > ftpmasters while > keeping the workflow of developers minimal. The only way I see to fulfill > them is to have > the workflow that t2u is supposed to simplify and host actually run on the > developer-controlled machines instead of a centralized service. Which defeats > the > purpose IMHO. Yes, this is a good summary of the perspective of the t2u developers, thank you. -- Sean Whitton
