On 17277 March 1977, Ian Jackson wrote:
Firstly, you say a "shallow clone".
It is not straightforward to include *precisely* the set of commits
that are required to reproduce the output. The conversion might, in
principle, go arbitrarily far into the maintainer's packaging branch;
and, if th
Simon Josefsson writes:
> You can mitigate this by re-validating all commit hashes using a SHA1CD
> git implementation before trusting a git repository. I have not seen
> confirmation that 'git fsck' actually do that.
I convinced myself that it does. One of the things git fsck does is
recalcul
Matthias Urlichs writes:
> On 01.07.24 12:46, Aigars Mahinovs wrote:
>> Yes and no. See what the git tag actually contains and what the GPG
>> signature actually signs is just the one hash of the commit object.
>> This commit object then refers to the other files of the repo, but the
>> GPG signa
On 01.07.24 12:46, Aigars Mahinovs wrote:
Yes and no. See what the git tag actually contains and what the GPG
signature actually signs is just the one hash of the commit object.
This commit object then refers to the other files of the repo, but the
GPG signature does not directly sign those.
So
Hello,
Firstly, Andreas:
In the context of this productive discussion we're now having, I'd like
to ask you to use your DPL powers to increase the minimum and maximum
discussion periods for this GR by one week each.
I believe that will be enough time to nail things down, such that I can
withdraw
On Mon, 1 Jul 2024 at 11:33, Matthias Urlichs wrote:
>
> On 30.06.24 21:30, Aigars Mahinovs wrote:
>
> The Debian developer/maintainer creates a signed git tag that contains
> (in its message, presumably, to avoid adding new communication lines)
> the file listing of the git checkout at the point
Hi again. Thanks for the clarifications. Speaking personally I've
found your replies encouraging, and I'm cautiously optimistic that
this might be a workable approach. We'll keep working on a proper
response.
In the meantime, I have a couple of questions.
Joerg Jaspert writes ("Re: t2u in the
On 30.06.24 21:30, Aigars Mahinovs wrote:
The Debian developer/maintainer creates a signed git tag that contains
(in its message, presumably, to avoid adding new communication lines)
the file listing of the git checkout at the point of signing
(including file names, modes and short SHA checksum h
8 matches
Mail list logo
