Hello, On Sun 28 Jul 2019 at 09:55PM +01, Rebecca N. Palmer wrote: > On 28/07/2019 20:01, Sean Whitton wrote: >> When I read your first e-mail what I thought you had in mind was just >> this -- having git-debpush compute a stronger hash of the tree object >> and add that to the tag metadata, ignoring commit objects. > > Of the files in the signer's repository, not of an actual tree object > (since the second is a list of file/subtree SHA-1 hashes). Ah, right. >> But now I'm struggling to understand the relevance of your discussion of >> having git-debpush create a .dsc in your second e-mail, if what you're >> actually talking about is hashing a git tree object. > > "Tag with sha256" and "hidden .dsc" are two alternative options: the > first is a narrowly targeted fix for the SHA-1 issue, the second a > bigger redesign. Okay. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature