git repositories for packages and signed pushes
We've had some discussion of some of these issues already, but let me
summarise:
Most current workflows for Debian packaging with git involve a git
repository somewhere, and in practice it is very impractical not to
trust the contents of (at least some branches in) that repository.
Currently AFAIAA most people are using ad-hoc repositories on private
servers, or something on alioth. And most people are not using any
kind of signature scheme. This is far from ideal.
I think we should switch to using GPG-signed pushes. (This is better
than GPG-signed tags because tags don't really specify what branches
to update, unless you impose special syntax on them - thus reinventing
signed pushes. It is better than GPG-signed commits because it works
better with history rewriting, makes clearer what is actually being
intentionally done by the signer, and exposes and uses your key at
only the right point in the process.)
For this we need a git server which supports GPG-signed pushes, and
(at least) all authorised pushers to be using a suitable verson of
git. I guess the rule would be that a DD is allowed to create, delete
and rename and update branches on any package's repo, and that a DM
may only access repos for `their' packages (and perhaps may only
update ff - TBD).
The new dgit git repos VM is IMO an appropriate place to host this.
The dgit magic git server already knows how to decide whether a
particular key is authorised for a particular package and has many of
the necessary moving parts.
The only significant problem is that the relevant versions of git are
currently only in experimental. Can we expect these (a) to be in sid
soon and (b) usefully stable backports to be available for (at least)
jessie ? (CCing git@p.d.o.)
I'll also have to talk to DSA about what they think about running a
backport of git.
Ian.
Reply to: