On 24.06.24 17:33, Scott Kitterman wrote:
Well, that shouldn't prevent us from allowing them to sign something else instead. Like, a git tag.None of that changes the fact that it's what they signed.
Part of the reason for this usefulness is that git didn't exist in 1993. You need to sign *something* if we want an unforgeable record of who uploaded what.Historically, the project has found that useful
and I think it still is.
Signed git tags are even more useful IMHO.This is the source (upstream / patches / merges / …), this is what I changed, this is what I signed. All causally linked and, absent a heavily-modified git executable, directly verifyable and reusable for further work.
You don't get that with a signed .dsc file. That file merely says "I had some source on my system, ran 'debuild -S', and signed the result".
-- -- regards -- -- Matthias Urlichs
OpenPGP_signature.asc
Description: OpenPGP digital signature
