Re: tag2upload (git-debpush) service architecture - draft
>>>>> "Ian" == Ian Jackson <ijackson@chiark.greenend.org.uk> writes:
>> Can you outline how to get from the dsc to a verification of the
>> tag signature without contacting the dgit server?
Ian> Sure.
Ian> Split the tag object daa at the relevant ----- boundary. This
Ian> gives you 1. an unsigned tag data file (first half) 2. a
Ian> detached armoured PGP signature (second half). Feed that pair
Ian> to gpgv (with appropriate keyrings etc.). That's it.
Ah, thanks.
I think this helps me understand where the confusion is.
My understanding of ftpmaster's requirement, confirmed by Bastian is
that without data external to the dsc, someone needs to be able to
confirm the contents of the source package are certified by a user in
the Debian keyring.
That is, anyone needs to be able to prove only from the dsc (and
keyrings of course) that the dsc is created from the git objects
intended by the signer.
The output of git cat-file tag is insufficient to do that.
All in includes is the object hash of the commit object.
However, we don't have that commit object or the tree objects in the
dsc.
We could perform that verification given the dgit repository, but that
would violate the no external data requirement from ftpmaster as I have
explained to Sean.
In effect, ftpmaster is saying they are uncomfortable trusting
tag2upload very much.
I think we may see this same issue come up again when we discuss
automated sourceful NMUs as requested by the reproducible builds community.
Reply to: