On Jun 24, 2024 7:03 PM, Matthias Urlichs <matth...@urlichs.de> wrote:
> > On 24.06.24 17:33, Scott Kitterman wrote: > > None of that changes the fact that it's what they signed. > Well, that shouldn't prevent us from allowing them to sign something > else instead. Like, a git tag. > > Historically, the project has found that useful > Part of the reason for this usefulness is that git didn't exist in 1993. > You need to sign *something* if we want an unforgeable record of who > uploaded what. > > and I think it still is. > > Signed git tags are even more useful IMHO. > > This is the source (upstream / patches / merges / …), this is what I > changed, this is what I signed. All causally linked and, absent a > heavily-modified git executable, directly verifyable and reusable for > further work. > > You don't get that with a signed .dsc file. That file merely says "I had > some source on my system, ran 'debuild -S', and signed the result". I strongly (but repecfully) deasagree. You may see it this way. I see it as signing the very thing that is pushed to the Debian archive. You aren't uploading a bunch of git SHA to the archive but a source package. It feels very normal that therefor, that is the thing that we would like you to sign. Too bad this is less convenient for your workflow, but that is the correct semantic. I very much do NOT buy into this "signing a git tag makes more sense". I understand it is easier to implement. But from the Debian perspective, that is simply wrong. Cheers, Thomas Goirand (zigo)
