>>>>> "Matthias" == Matthias Urlichs <matth...@urlichs.de> writes:
Matthias> A reproducibility checker for t2u seems like child's play,
Matthias> compared to that effort. While no t2u checker currently
Matthias> exists, somebody might be motivated enough to write
Matthias> one. (Hint, hint …)
You don't even need a reproducibility checker; you just need to have a
verification checker. I.E. some independent tool that takes the dsc and
git tag and confirms that the transformations between the two of them
are acceptable.
This is I think the security property you actually want, not
reproducibility.
Assuming no undesired changes have been introduced into tag2upload, It's
reasonably easy to argue that reproducibility gives you this property.
It is not the only way to approach verification though.
signature.asc
Description: PGP signature
