Aigars Mahinovs <aigar...@debian.org> writes: > In contrast, having a tarball of the git state *before* t2u starts its > work would provide a tarball that *can* be verified against the > checksums from the first file. That will give you a clear data point - > t2u started its work with the exactly the same workspace as the > maintainer signed. And will provide a frozen copy of that starting > workspace in the archive independent of the (more complex) dgit service.
Oh, okay, that's what I thought Joerg was saying, and I misunderstood your message. So yes, the two files are technically redundant (I think they're both signed by t2u since presumably they're in *.changes). -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
