On 17.06.24 00:04, Joerg Jaspert wrote:
Still, we should find a way to keep the existing property of verifying what the uploader signed to upload *without* requiring a third-party$something to be available.
Verifying what the uploader signed is simple enough, it's a git tag. You fetch it and verify that the hashes match ("git fsck"; current git is hardened against SHAttered) and that it's signed by the correct key.
You want to verify t2u's work? Simple enough, run dgit and compare to whatever t2u sent you. No $something required.
Oh wait, t2u isn't even "third party". It's a Debian tool running on properly-administered (we assume) Debian hardware, running just another build step in a sandbox.
Another way of doing this would be to teach t2u to simply push the tag to an append-only git store. Then teach the builders that instead of their equivalent of "apt-get source" they should fetch this tag from our git store and run dgit (and then push the legacy source tarballs) themselves.
Would that scheme work better for you? -- -- mit freundlichen Grüßen -- -- Matthias Urlichs
OpenPGP_signature.asc
Description: OpenPGP digital signature
