On 30.06.24 19:28, Russ Allbery wrote:
Oh! Did I misunderstand Joerg's second point entirely? By "the tag that t2u wants to upload," I assumed that meant the tag the uploader signed or, in other words, the state of the tree*before* t2u started doing its work that has the uploader signature attached.
Given that the uploader basically signed an entire git tree, adding additional tarballs is rather redundant IMHO. Also, requiring a "fat" upload would preclude the "uploader behind an unreliable, molasses-slow, or heavily-metered network connection" use cases which the t2u design enables (and which I'd insist on, given the mobile networking situation in non-urban areas of quite a few ostensibly-first-world-countries – not to mention the rest of the planet).
Including a "git ls-files" output from the client is something I can sortof live with, given that it'll compress quite well. Frankly I don't see the security advantage of such a file. On the other hand, if it's a case of "meet the ftpmasters' unease about the whole thing halfway", and if that's what it takes to avoid a GR – time that's better spent actually deploying t2u, – I'm +0 on the idea.
-- -- regards -- -- Matthias Urlichs
OpenPGP_signature.asc
Description: OpenPGP digital signature
