Re: tag2upload (git-debpush) service architecture - draft

To: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>, Ian Jackson <ijackson@chiark.greenend.org.uk>, debian-devel@lists.debian.org, ftpmaster@debian.org, debian-dak@lists.debian.org, Sean Whitton <spwhitton@spwhitton.name>
Subject: Re: tag2upload (git-debpush) service architecture - draft
From: Bernd Zeimetz <bernd@bzed.de>
Date: Sun, 28 Jul 2019 11:58:09 +0200
Message-id: <[🔎] 1135ba05-c2dd-efc4-fcc5-94bc5f895a09@bzed.de>
In-reply-to: <[🔎] c565298c-ffae-4d45-d421-c15cd755072a@zoho.com>
References: <[🔎] c565298c-ffae-4d45-d421-c15cd755072a@zoho.com>

On 7/27/19 8:16 PM, Rebecca N. Palmer wrote:
> As a way to avoid relying on SHA-1, would it work to have git-debpush
> include a longer hash in the tag message, and tag2upload also verify
> that hash?

what exactly would you create that long hash of?

If we don't trust sha-1, then we might also not be able to trust the
linked list of commits a git tag is pointing to.


-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

Reply to:

Follow-Ups:
- Re: tag2upload (git-debpush) service architecture - draft
  - From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>
- Re: tag2upload (git-debpush) service architecture - draft
  - From: Bernd Zeimetz <bernd@bzed.de>

References:
- Re: tag2upload (git-debpush) service architecture - draft
  - From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>

Prev by Date: Re: tag2upload (git-debpush) service architecture - draft
Next by Date: Re: tag2upload (git-debpush) service architecture - draft
Previous by thread: Re: tag2upload (git-debpush) service architecture - draft
Next by thread: Re: tag2upload (git-debpush) service architecture - draft
Index(es):
- Date
- Thread