Hi Russ, * Russ Allbery <r...@debian.org> [2024-06-15 23:57]:
Would it be possible for tag2upload generate some sort of log or diff of its operation? Then, a verifier does not have to reimplement the whole dgit logic with all its edge cases, it merely has to apply the same tree transformation(s) as t2u and verify that this will indeed produce the source package from the signed Git tag.Scott Kitterman <deb...@kitterman.com> writes:Today I can download any source package in the archive and verify who uploaded the package and is responsible for its contents. It doesn't matter if I download it from the main archive or a mirror. Personally, I think that's an important characteristic of our package archive, which is lost by tag2upload.The same *information* is there, provided that the tag2upload metadata is trustworthy, but it is not trivial to verify that tag2upload did its part of the job properly. You can trace the package back to tag2upload and you can see who tag2upload asserted uploaded the package, and you can then retrieve that signed Git tag and verify it, but in order to establish the last missing link, you would have to redo the work that tag2upload did to assemble the source package to check that it was done properly.
Cheers Timo -- ⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮ ⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │ ⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │ ⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯
signature.asc
Description: PGP signature
