Re: Survey: git packaging practices / repository format
On 01.07.19 15:09, Andrey Rahmatullin wrote:
> On Mon, Jul 01, 2019 at 03:04:26PM +0200, Enrico Weigelt, metux IT consult wrote:
>> On 29.05.19 17:41, Andrey Rahmatullin wrote:
>>
>>>> Perhaps we should update policy to say that the .orig tarball may (or
>>>> even "should") be generated from an upstream release tag where
>>>> applicable.
>>> This conflicts with shipping tarball signatures.
>>
>> Does that really need to be the upstream's tarballs ?
> The idea is checking the sig that the upstream made, with the key the
> upstream published.
Okay, but is that actually used (by somebody except the maintainers) ?
>> If it's about validating the source integrity all along the path from
>> from upstream to deb-src repo, we could do that by auditable process
>> (eg. fully automatic, easily reproducable transformations)
> Sounds very complicated.
I don't think so, at least if we're considering the whole workflow.
In the end, it's just a matter of trust-chains:
* upstream should used signed tags - we can collect their pubkeys
in some suitable place (what we should do anyway).
* if upstream doesn't sign, the maintainer has to trust them blindly,
or needs to verify the code anyways. we could use some half-automated
process for verifying the diff between the upstream tarball and the
scm repo (we could add our own signatures here)
* finally the maintainer signs his final tree (the one that's used for
actual building the final packages)
I believe that 99% can be done automatically, with a little bit of
tooling.
--
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@metux.net -- +49-151-27565287
Reply to: