On 17263 March 1977, Matthias Urlichs wrote:
Still, we should find a way to keep the existing property of
verifying
what the uploader signed to upload *without* requiring a third-party
$something to be available.
Verifying what the uploader signed is simple enough, it's a git tag.
You
fetch it and verify that the hashes match ("git fsck"; current git is
hardened against SHAttered) and that it's signed by the correct key.
Thats a third-party.
You want to verify t2u's work? Simple enough, run dgit and compare to
whatever t2u sent you. No $something required.
$something is required. It is not there with the source package on your
mirror. It is a random other place. Sure, hosted by Debian, but its
still elsewhere and another thing required to have.
Oh wait, t2u isn't even "third party". It's a Debian tool running on
properly-administered (we assume) Debian hardware, running just
another
build step in a sandbox.
It is third-party, the same way that "to verify, fetch $blah from
ftp-masters api host" would be.
Another way of doing this would be to teach t2u to simply push the tag
to an append-only git store. Then teach the builders that instead of
their equivalent of "apt-get source" they should fetch this tag from
our
git store and run dgit (and then push the legacy source tarballs)
themselves.
Would that scheme work better for you?
Not with an unchanged archive structure.
Oh wait, you mean the builders generate the source package as it will
end up in the archive? Where is the difference in builders generating
vs. t2u generating here, as the other part, signature from uploader,
would still not be there?
--
bye, Joerg
