Re: tag2upload (git-debpush) service architecture - draft

To: Sam Hartman <hartmans@debian.org>
Cc: Sean Whitton <spwhitton@spwhitton.name>, Bastian Blank <waldi@debian.org>, "Rebecca N. Palmer" <rebecca_palmer@zoho.com>, debian-devel@lists.debian.org, ftpmaster@debian.org, debian-dak@lists.debian.org
Subject: Re: tag2upload (git-debpush) service architecture - draft
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Fri, 2 Aug 2019 13:49:03 +0100
Message-id: <[🔎] 23876.12607.275623.973680@chiark.greenend.org.uk>
In-reply-to: <[🔎] tslh87157qg.fsf@suchdamage.org>
References: <c565298c-ffae-4d45-d421-c15cd755072a@zoho.com> <1135ba05-c2dd-efc4-fcc5-94bc5f895a09@bzed.de> <8b38fd5f-b2c6-0745-d8ca-94686745f720@zoho.com> <23869.48339.192029.53108@chiark.greenend.org.uk> <1fea303b-96db-7cd6-5178-b9302d612b10@zoho.com> <20190730155437.cnsld27jqb2lgbbb@shell.thinkmo.de> <23873.48403.353433.835198@chiark.greenend.org.uk> <20190731183134.pcjqmjjwzg6witoa@shell.thinkmo.de> <tsl5zni80xv.fsf@suchdamage.org> <20190731203733.5rjmiwtuj27wmri2@shell.thinkmo.de> <[🔎] 877e7xf6in.fsf@athena.silentflame.com> <[🔎] tslh87157qg.fsf@suchdamage.org>

Sam Hartman writes ("Re: tag2upload (git-debpush) service architecture - draft"):
> Sean Whitton <spwhitton@spwhitton.name> writes:
> > Okay, thanks.
> 
> > I think that the Git-Tag-Info field solves this.  With that
> > field available, anyone can do the following to perform an
> > equivalent verification:
> 
> > 1. fetch the .dsc from the archive
> 
> > 2. fetch, from dgit-repos, the tag given in the Git-Tag-Info
> > field of the .dsc
> 
> This violates the "no external data" requirement above.

This requirement can be met (as I mentioned before) by including the
tag object data as a file in the upload (listed in .changes).  The
signature can be verified without any further data.  A git bundle is
not needed.

I just need to know what filename I should give it.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to:

Follow-Ups:
- Re: tag2upload (git-debpush) service architecture - draft
  - From: Sam Hartman <hartmans@debian.org>

References:
- Re: tag2upload (git-debpush) service architecture - draft
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: tag2upload (git-debpush) service architecture - draft
  - From: Sam Hartman <hartmans@debian.org>

Prev by Date: Re: tag2upload (git-debpush) service architecture - draft
Next by Date: Re: tag2upload (git-debpush) service architecture - draft
Previous by thread: Re: tag2upload (git-debpush) service architecture - draft
Next by thread: Re: tag2upload (git-debpush) service architecture - draft
Index(es):
- Date
- Thread