Russ Allbery writes ("Re: Security review of tag2upload"):
> [...] in the general case we have absolutely no idea how to
> map a source package in the archive back to a Git tree. That's exactly
> the problem that tag2upload is trying to solve. For non-tag2upload
> packages, we still have to rely on the source package as the farthest back
> that we can trace the code without diverging into package-specific
> analysis and diverging maintainer workflows.
In fact, you *can* trace this back further if the uploader used
`dgit push`. The .dsc contains a Dgit: field naming a commit,
and dgit-repos contains all the data you need to trace that back to
the maintainer's git branch, and has the maintainer's signed tag.
This formal, standardised, link between the .dsc and git is one of the
biggest reasons why using dgit push is a good thing. Of course it
mostly benefits downstrems and users, so it's less visible to the
maintainer.
With `dgit push` the correspondence between source package and git
branch is assured on the uploader's machine, rather than a central
service, so it could be breached by attacks or serious malfunctions.
The point of tag2upload is to move all this stuff from the
maintainer's machine to a central service, where it is more reliable,
more secure, and more convenient.
Ian.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
