Hello, On Fri 26 Jul 2019 at 08:50PM +01, Jonathan McDowell wrote: > I've clarified with Ian that despite Sean's blog talking about the > debian-keyring package the dgit infrastructure correctly uses the > keyring in /srv/keyring.debian.org/ as deployed by DSA on the Debian > infrastructure. Right, thanks. Use of that package is just for try-it-on-your-laptop. > The piece of information that I think is missing here (and I've been > able to discover in person) is that the "trusted" piece (all the !s) is > keeping state during the processing of a particular tag/upload. That is, > the trusted component gets handed the tag info, verifies it is sane, > hands it off to the untrusted component to fetch + build a source > package for, then does as much verification as it can that what it gets > back from the untrusted component is the same package/version as > expected. Thanks for this. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature