On Sun, 30 Jun 2024 at 19:28, Russ Allbery <r...@debian.org> wrote:
>
> Aigars Mahinovs <aigar...@gmail.com> writes:
> > Correct me if I'm wrong, but I believe the intention is to have two
> > technically redundant data points saved into the archive:
>
> > 1) checksums of the contents of the shallow copy git tree in the
> > maintainer work folder (signed by the maintainer)
> > 2) contents of the shallow copy git tree in the t2u server work folder
> > (signed by t2u)
>
> Oh! Did I misunderstand Joerg's second point entirely? By "the tag that
> t2u wants to upload," I assumed that meant the tag the uploader signed or,
> in other words, the state of the tree *before* t2u started doing its work
> that has the uploader signature attached.
I do not see that in either what me or Joerg wrote. And I also don't
see much sense in that.
In contrast, having a tarball of the git state *before* t2u starts its
work would provide a tarball that *can* be verified against the
checksums from the first file. That will give you a clear data point -
t2u started its work with the exactly the same workspace as the
maintainer signed. And will provide a frozen copy of that starting
workspace in the archive independent of the (more complex) dgit
service.
--
Best regards,
Aigars Mahinovs mailto:aigar...@debian.org
#--------------------------------------------------------------#
| .''`. Debian GNU/Linux (http://www.debian.org) |
| : :' : Latvian Open Source Assoc. (http://www.laka.lv) |
| `. `' Linux Administration and Free Software Consulting |
| `- (http://www.aiteki.com) |
#--------------------------------------------------------------#
