On Sun, 16 Jun 2024 at 17:32, Bart Martens <ba...@debian.org> wrote:
>
> On Sun, Jun 16, 2024 at 03:31:25PM +0200, Matthias Urlichs wrote:
> > On 13.06.24 10:26, Sean Whitton wrote:
> > > Yes. A proposal that has not yet engaged with the complexities of
> > > 3.0 (quilt) is not one in which we can yet have any confidence.
> >
> > The proposal simply intends to do whatever the uploader would do to build
> > the source package from a tagged git worktree, except in a controlled and
> > sandboxed environment.
> >
> > I fail to understand why we should have any less confidence in that than in
> > whatever the uploader does manually to achieve the same result (we hope!!).
>
> One could argue that neiter matter. It is the outcome that matters: the source
> package itself. That's what gets distributed.
One could argue that neither matters, it is the binary package that
end users actually
use on their systems, that runs commands on millions of installations, as root.
And that binary package nearly always nowadays is generated *and signed* by an
automated software system on one of Debian's servers. Not by the maintainer.
You already have to go back the chain of verifications via
automatically signed files:
Release -> Packages -> binary deb -> source dsc
What difference does it make to add another step to the end: -> git tag
--
Best regards,
Aigars Mahinovs mailto:aigar...@debian.org
#--------------------------------------------------------------#
| .''`. Debian GNU/Linux (http://www.debian.org) |
| : :' : Latvian Open Source Assoc. (http://www.laka.lv) |
| `. `' Linux Administration and Free Software Consulting |
| `- (http://www.aiteki.com) |
#--------------------------------------------------------------#
