use signed git tags to verify upstream tarball

To: debian-devel@lists.debian.org
Cc: Daniel Kahn Gillmor <dkg@debian.org>
Subject: use signed git tags to verify upstream tarball
From: Thomas Koch <thomas@koch.ro>
Date: Fri, 21 Aug 2015 11:12:41 +0200
Message-id: <[🔎] 3196727.ARkv6yQFuD@x121e>
Reply-to: thomas@koch.ro

Sometimes we are lucky and upstream uses signed git tags. That still does not 
help us to verify the orig.tar.gz. It can however still be very useful.

If we store some git objects in debian/upstream/.../ than we can at least 
verify those files that are the same in the tarball and in the tagged git 
commit.

We need to store the git tag, git commit and all tree objects from the tagged 
commit. Then we have trusted sha1 signatures of all files from the tagged git 
commit. The tarball might contain additional files, e.g. compiled stuff or 
configure files, but we don't want to rely on those anyways.

Maybe this file structure?

debian/upstream/git
  objects // flat structure, unlike gits two level structure
    5f19d6d7380dc9416f5f852e8b3a9c06f239cb93 // plain, no zlib compression
  refs
    tags
      1.0.3 // same as in git

Objects are not compressed since they end up in a tar.gz anyways. The objects 
store does not contain any blobs, only tree, commit and tag objects.

Somebody wants to write the necessary tools (in haskell...)?  

Thomas Koch

Reply to:

Follow-Ups:
- Re: use signed git tags to verify upstream tarball
  - From: Danny Edel <debian@danny-edel.de>

Prev by Date: Re: ask github to encourage signed git tags
Next by Date: Re: libstdc++ follow-up transitions
Previous by thread: Re: ask github to encourage signed git tags
Next by thread: Re: use signed git tags to verify upstream tarball
Index(es):
- Date
- Thread