On Wed, Jun 26, 2024 at 01:44:10AM +0800, Jun MO wrote: > > For the third purpose, I believe only weak intent information can be > > derived from the uploader signature today. It is common practice in Debian > > to verify the Git tree that one wants to upload, run a package build step, > > and then blindly sign the resulting source package. [...] > > I feel this is somehow ... wrong. I think, *currently*, it should be a moral > obligation for a DD to make sure the resulting source package is correct.
I don't think I ever upload source packages without actually building them (my normal workflows include building a package in sbuild producing a binary .changes and debs, that I run lintian and other checks on, and a source .changes that gets uploaded if a binary upload is not required). But I never look inside generated source packages, I don't even know what to check there. > Although many people claim the source package is an build artifact, I > think the source package is still supposed can be read by a human, > unlike binary packages. I think it is true especially for patches under > d/patches/ as they are very similar to git commits. My git repos represent unpacked source packages. I obviously read what's inside my git repos and assume the same goes into my source packages. I don't test this assumption. -- WBR, wRAR
signature.asc
Description: PGP signature
