[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] Proposal for new source format

Hi Russ

On Tue, Oct 29, 2019 at 12:19:03PM -0700, Russ Allbery wrote:
> Could you help me understand what this would look like?  Is it something
> like this workflow?
> 1. tag2upload determines the local Git tree that should be uploaded as a
>    new source package.
> 2. tag2upload locally constructs a source package from that Git tree.
> 3. The uploading user signs the source package that tag2upload constructs.

The uploading user signs the .dsc file that was constructed.

> 4. tag2upload pushes a rich tag to its upload server that contains enough
>    information to identify the Git tree that should be uploaded and that
>    includes the signature over the source package constructed from that
>    tree.
> 5. The tag2upload server reconstructs the source package from Git,
>    attaches the signature, and then forwards both to dak.

The server reconstructs the source, attaches the signed (by the user)
.dsc file and signs the .changes file covering the whole upload itself.

> 6. dak validates the signature on the source package and accepts the
>    package.
> And therefore the goal of this proposal is to define a source package
> format that allows this to be done more easily than our current source
> package format allows?



Captain's Log, star date 21:34.5...

Reply to: