On 21.06.24 14:33, Ansgar 🙀 wrote:
IMHO tag2upload does not drop integrity checks, for the simple reason that a maintainer who uses dgit today does not perform any such test.The change request is for the archive to drop them.
Umm, no. We're not dropping the check; we required a maintainer's signature before, and we still do so after. We just place a packaging-and-possibly-source-mangling server between A and B.
Also it's not an integrity check. It doesn't verify that the files in the uploaded tarball correspond to either the git tag of the source the maintainer worked on *or* the contents of their file system when they ran "dpkg -S".
Fundamentally, the fact remains that when you do a "dgit push-source" today, dak integrity-checks some tar files that were generated and signed on a random machine with random and possibly-malevolent software that could have silently replaced any file it wanted to – files which you currently can't auto-verify independently and which no human will examine (unless there's a strong external suspicion of foul play).
While the "random machine" problem still holds with t2u, that's mitigated by the fact that all other disadvantages go away. The source is now a git tag on Salsa whose history people who work on the code actually use and examine, the dgit job runs in a VM with defined state, and the correctness of its output is easily machine-verifiable.
In that light, telling dak to trust that the t2u service hasn't been subverted seems like a very minor disadvantage to me, esp. since we already identified ways to strengthen that trust.
-- -- regards -- -- Matthias Urlichs
OpenPGP_signature.asc
Description: OpenPGP digital signature
