Re: tag2upload (git-debpush) service architecture - draft
Bernd Zeimetz writes:
> On 7/27/19 8:16 PM, Rebecca N. Palmer wrote:> As a way to avoid relying
> on SHA-1, would it work to have git-debpush
>> include a longer hash in the tag message, and tag2upload also verify
>> that hash?
>>
> The other idea would be to convince git upstream to use something
> better than sha1 - and after a bit of searching, I found
[...]
> So I think the best thing to do is to get sha256 working in git and
> force the usage of sha256 if you want to sign a tag for upload.
That will take quite a while; we would probably need a version of git
supporting that in stable.
There are also other issues, for example:
- Such a service would bypass various sanity checks on the archive
side, including various permission checks.
- Such a service would need to properly validate the PGP signature.
The archive really shouldn't rely on a third-party service for this.
(In particular the service in question here doesn't do that as far as
I can tell.)
Ansgar
Reply to: