Re: tag2upload (git-debpush) service architecture - draft

To: Ian Jackson <ijackson@chiark.greenend.org.uk>
Cc: Sam Hartman <hartmans@debian.org>, Sean Whitton <spwhitton@spwhitton.name>, Bastian Blank <waldi@debian.org>, "Rebecca N. Palmer" <rebecca_palmer@zoho.com>, debian-devel@lists.debian.org, ftpmaster@debian.org, debian-dak@lists.debian.org
Subject: Re: tag2upload (git-debpush) service architecture - draft
From: Sam Hartman <hartmans@debian.org>
Date: Fri, 02 Aug 2019 09:24:26 -0400
Message-id: <[🔎] tslv9vf3dkl.fsf@suchdamage.org>
In-reply-to: <[🔎] 23876.12607.275623.973680@chiark.greenend.org.uk> (Ian Jackson's message of "Fri, 2 Aug 2019 13:49:03 +0100")
References: <c565298c-ffae-4d45-d421-c15cd755072a@zoho.com> <1135ba05-c2dd-efc4-fcc5-94bc5f895a09@bzed.de> <8b38fd5f-b2c6-0745-d8ca-94686745f720@zoho.com> <23869.48339.192029.53108@chiark.greenend.org.uk> <1fea303b-96db-7cd6-5178-b9302d612b10@zoho.com> <20190730155437.cnsld27jqb2lgbbb@shell.thinkmo.de> <23873.48403.353433.835198@chiark.greenend.org.uk> <20190731183134.pcjqmjjwzg6witoa@shell.thinkmo.de> <tsl5zni80xv.fsf@suchdamage.org> <20190731203733.5rjmiwtuj27wmri2@shell.thinkmo.de> <[🔎] 877e7xf6in.fsf@athena.silentflame.com> <[🔎] tslh87157qg.fsf@suchdamage.org> <[🔎] 23876.12607.275623.973680@chiark.greenend.org.uk>

>>>>> "Ian" == Ian Jackson <ijackson@chiark.greenend.org.uk> writes:

    Ian> Sam Hartman writes ("Re: tag2upload (git-debpush) service
    Ian> architecture - draft"):
    >> Sean Whitton <spwhitton@spwhitton.name> writes: > Okay, thanks.
    >> 
    >> > I think that the Git-Tag-Info field solves this.  With that >
    >> field available, anyone can do the following to perform an >
    >> equivalent verification:
    >> 
    >> > 1. fetch the .dsc from the archive
    >> 
    >> > 2. fetch, from dgit-repos, the tag given in the Git-Tag-Info >
    >> field of the .dsc
    >> 
    >> This violates the "no external data" requirement above.

    Ian> This requirement can be met (as I mentioned before) by
    Ian> including the tag object data as a file in the upload (listed
    Ian> in .changes).  The signature can be verified without any
    Ian> further data.  A git bundle is not needed.

What do you mean by tag object data?
Can you outline how to get from the dsc to a verification of the tag
signature without contacting the dgit server?

Reply to:

Follow-Ups:
- Re: tag2upload (git-debpush) service architecture - draft
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- Re: tag2upload (git-debpush) service architecture - draft
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: tag2upload (git-debpush) service architecture - draft
  - From: Sam Hartman <hartmans@debian.org>
- Re: tag2upload (git-debpush) service architecture - draft
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Re: tag2upload (git-debpush) service architecture - draft
Next by Date: Bug#933735: ITP: drawing -- drawing application for GNOME
Previous by thread: Re: tag2upload (git-debpush) service architecture - draft
Next by thread: Re: tag2upload (git-debpush) service architecture - draft
Index(es):
- Date
- Thread