Re: Discussion on eventual transition away from source packages

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

Daniel Kahn Gillmor writes ("Re: Discussion on eventual transition away from source packages"):
> On Fri 2019-03-22 09:32:55 +0100, Lucas Nussbaum wrote:
> > I'm probably missing something, but it doesn't sound like a lot of work
> > to me? It's "just" a service that:
> > - gets notified of the existence of a git repo + tag to upload
> > - fetches that git repo + tag
> > - checks signature / confirm that the GPG key owner is allowed to upload
> >   that package
> 
> In case anyone is considering trying to do this, please be aware that
> there are several non-obvious subtleties involved in "verifying a git
> tag".

Indeed.  The git and gnupg tooling is quite awful.  Last I looked at
this, git tag -v was so bad as to be unuseable.  I ended up writing
dozens of lines of code to manually pick apart the tag and feed the
results to gpgv (and to work around infelicites in gpgv).

Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.