Am 2024-06-17 11:39, schrieb Joerg Jaspert:
On 17263 March 1977, Matthias Urlichs wrote:
Still, we should find a way to keep the existing property of
verifying
what the uploader signed to upload *without* requiring a third-party
$something to be available.
Verifying what the uploader signed is simple enough, it's a git tag.
You fetch it and verify that the hashes match ("git fsck"; current git
is hardened against SHAttered) and that it's signed by the correct
key.
Thats a third-party.
That claim depends on the definition of first party. You use a narrow
definition of it (only the archive / mirrors and dak are first party,
unless I misunderstood), others would include salsa and tag2upload in
their definition of first party. I haven't made up my mind yet on which
one I find more compelling. But for the sake of argument, let's use your
definition in my reply.
You want to verify t2u's work? Simple enough, run dgit and compare to
whatever t2u sent you. No $something required.
$something is required. It is not there with the source package on your
mirror. It is a random other place. Sure, hosted by Debian, but its
still elsewhere and another thing required to have.
I don't know git very well (so please be tolerant when my wording
doesn't match what canonical verbage git enthusiasts would use), but if
I understood correctly, one could create some a bundle (sort of archive)
from a git repo, restricted to only a few (one?) state. Assuming I'm
right and one could create a bundle that *only* contains the state of
the git repo at the tag that the Debian developer signed. Would it be
acceptable to you if tag2upload did the following:
1) Create the standard Debian source package (.dsc, .orig* archives if
applicable, .debian* archive or .diff*) from the git tag that was
signed.
2) Create a bundle of the git repo at said tag
3) If that doesn't already include the signed tag, somehow export that
as well, including the verifyable signature
4) Upload bundle, dsc, tag2upload-signed .changes-file with references
to the bundle and dsc and other uploaded files (.debian*, .orig*,
.diff*)
Assuming someone would provide a code update to dak to verify that the
tag is signed correctly and that the bundle contains the state at the
signed tag, would that be sufficient in your view, or would you *also*
want something to verify that the .dsc and related source-package files
are actually generated from that? Because if you also wanted that, we
would be back at square one, since you didn't want dak (or a tool called
by it) to generate the source package (assuming I didn't misunderstand
previous mails).
AFAICT, this would allow us to keep the data in the relevant git tag and
the signature by the developer on said tag right next to the (generated)
source package.
Another way of doing this would be to teach t2u to simply push the tag
to an append-only git store. Then teach the builders that instead of
their equivalent of "apt-get source" they should fetch this tag from
our git store and run dgit (and then push the legacy source tarballs)
themselves.
Would that scheme work better for you?
Not with an unchanged archive structure.
Oh wait, you mean the builders generate the source package as it will
end up in the archive? Where is the difference in builders generating
vs. t2u generating here, as the other part, signature from uploader,
would still not be there?
(Not a direct reply) In my proposal above, this would essentially be
equivalent to .bundle+tag+sig = Developer upload, source package &
binary packages: Generated and uploaded by builders (including
tag2upload).
Kind regards,
Sven
