Russ Allbery writes ("Re: [RFC] General Resolution to deploy tag2upload"):
> My understanding is that the problem with this
> design from their perspective is that it requires a fat client on the
> uploader's system,
Yes.
Indeed, we have a system very like this already. It's called dgit.
dgit push-source *is* that fat client.
In your inferred design sketch, the fat client makes a git tag which
somehow encodes the special Debian-specific hash tree. That is kind
of weird, and isn't really necessary. We can just make the existing
Debian-specific hash tree signatures: the signatures on the .dsc and
the .changes. So, with dgit, there are just two sets of signatures:
one set for the archive, to make the upload be accepted, and one set
for the git form, which gets pushed to dgit-repos.
What we are trying to do with tag2upload is get rid of dgit. [1]
Ian.
[1] Well, of course, it still runs on the server, but it becomes an
implementation detail of the automatic gateway between git and source
packages.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
