Hello Didier, Christian, On Thu 13 Aug 2020 at 09:08PM +02, Didier 'OdyX' Raboud wrote: > Le jeudi, 13 août 2020, 11.19:59 h CEST Christian Kastner a écrit : >> Unless I'm grievously misremembering something, there was a discussion a >> while ago about automatically generating a source package and uploading >> it whenever a Debian release is (signed-)tagged in Salsa. >> >> If I did remember correctly: may I kindly inquire what the status on >> that is? > > I think I was the one with that idea [0], and I threw around some code last > winter, but I never really finished this; as I've stuck to using `dgit push- > source` for now. > > The idea would be to have: a `dgit tag-source-for-upload`, which produces a > tag with all the metadata needed by a knowledgeable tag consumer to reproduce > a signed .dsc + a signed _source.changes. That knowledgeable tag consumer > would run at the end of a salsa pipeline. Ian and I implemented something along these lines last summer and it's available to try from the archive; here is how: <https://spwhitton.name/blog/entry/tag2upload/> As to the current status: FTP Team members objected to having uploader-signed git tags on dgit.debian.org be the canonical record of an uploader's intended source package (rather than uploader-signed .dsc files stored on other servers), and they objected to the ways in which the system relies on git SHA1 hashes. I still believe that the design is sound and deploying the system can and should go ahead, but we could not overcome the disagreement. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature