Include git commit id and git tree id in *.changes files when uploading?
Hi!
In *.changes files we already have the Vcs-Git line as metadata
showing where the packaging sources are maintained with an exact URL
and a `-b <branch>` identified if the upload was not from the default
branch.
To be better able to audit the software supply-chain I have been
thinking that we should have more git info in the changes file, namely
the git commit id it was generated from, and just in case also the git
tree id as well.
The git commit id (`git rev-parse HEAD`) is derived from what the
chain of contents+commit messages was, and the git tree id (`git
rev-parse HEAD^{tree}`) is derived from the file contents, so we can't
embed either into the packaging repository itself (e.g. as extra lines
in d/changelog) as they would reference itself in a circular manner.
They must be put in some file that describes the upload _after_ the
final git commit was made, and I think the changes file would be
ideal. It already has the Vcs-Git header anyway, and it is the file
any system processing the upload will see and can then act upon as
needed.
Has somebody else already been thinking about the same? Do others see
value in this?
- Otto
Reply to: