* Russ Allbery <r...@debian.org> [2024-06-16 09:02]:
I believe that's what tag2upload pushes to the dgit-repos server, although I'm not sure that exactly matches what you're asking for.I was pondering over a way to securely link the Git tag with the upload. I think it needs to be a representable as a file that can be signed and uploaded together with the source package; this enables dak (or anyone else for that matter) to verify that the Git tag corresponds to the upload and simultaneously serves as an audit trail for whatever t2u deemed necessary to do.
A Git patch might fit the bill, it depends whether you consider it sufficient to compare the (extracted) source trees or if you want to be able to reconstruct a bit-identical copy of the source package tarballs.
-- ⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮ ⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │ ⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │ ⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯
signature.asc
Description: PGP signature
