[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] Proposal for new source format

Bastian Blank <waldi@debian.org> writes:

> We had that discussion already, it is about the possibility of
> reproducing the content of the upload.  The tag2upload proposal said
> they can't do it and everyone need to trust this service to do the right
> thing.  I like to solve this problem and allow such a tool/service to
> forward the trust information by reproducing the output.

Could you help me understand what this would look like?  Is it something
like this workflow?

1. tag2upload determines the local Git tree that should be uploaded as a
   new source package.

2. tag2upload locally constructs a source package from that Git tree.

3. The uploading user signs the source package that tag2upload constructs.

4. tag2upload pushes a rich tag to its upload server that contains enough
   information to identify the Git tree that should be uploaded and that
   includes the signature over the source package constructed from that
   tree.

5. The tag2upload server reconstructs the source package from Git,
   attaches the signature, and then forwards both to dak.

6. dak validates the signature on the source package and accepts the
   package.

And therefore the goal of this proposal is to define a source package
format that allows this to be done more easily than our current source
package format allows?

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>
Reply to: