Re: tag2upload should record git tag signer info in .dsc [and 1 more messages]

To: 932753@bugs.debian.org,
Cc: debian-dpkg@lists.debian.org, debian-policy@lists.debian.org
Subject: Re: tag2upload should record git tag signer info in .dsc [and 1 more messages]
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Mon, 22 Jul 2019 19:55:26 +0100
Message-id: <[🔎] 23862.1694.800944.781799@chiark.greenend.org.uk>
In-reply-to: <23862.746.184604.339762@chiark.greenend.org.uk>, <handler.932753.B.156382078132584.ack@bugs.debian.org>
References: <23862.746.184604.339762@chiark.greenend.org.uk> <handler.932753.B.156382078132584.ack@bugs.debian.org> <87bly2nwcf.fsf@iris.silentflame.com> <18ECEC09-EF0B-439E-A329-6739C3572A0C@kitterman.com> <877e8nbuu5.fsf@zephyr.silentflame.com> <87ims3fc0d.fsf@hope.eyrie.org> <23860.42634.422491.401349@chiark.greenend.org.uk> <87a7d78e5g.fsf@hope.eyrie.org> <23860.44512.404944.360031@chiark.greenend.org.uk> <20190722144659.GB25690@home.ouaza.com>

Hi.  I am consulting on the name and syntax of a new field I intend to
put in .dsc's.

This is for our tag-to-upload service[1], as described here:
  https://spwhitton.name/blog/entry/tag2upload/

The tag2upload service will take a signed git tag, and verify it
against the Debian keyrings and dm.txt.  It then turns that into a
source package which it signs with its own key.

That means the original "uploader" information (ie the identity of the
person signing the git tag) is not any more present in the source
package.  To rememdy that I propose the following new field:

  Git-Tag-Info: FINGERPRINT Firstname Surname <email@address>

The parsing rules are: the first word is the fingerprint entirely in
hex.  The rest is from the tag's "tagger" line (and may not match).

Consumers which want to know which OpenPGP key ws used should use
FINGERPRINT.  Consumers which want to send email should use the RHS.

This syntax does not contain the signature date, nor the tag message,
nor any OpenPGP cert name.  An OpenPGP cert name would be a pain to
provide in a securely meaningful way.  The tag/signature date is not
that important I think (and might be annoying to extract from gpgv).

I think consumers won't need that information.

It also eldides some tag2upload-specific metadata, info about git
branch formats, and so on, but I think a .dsc consumer does not need
that.

Comments welcome.

If you are likely to have an opinion, please reply as soon as you
can, since I hope to do the engineering work to make this thing
production-ready as soon as the relevant design reviews etc. are done.

If it will take you more than a few days to comment, please reply
right away with a holding mail saying when you hope to find the time
to write a substantive reply.

Thanks,
Ian.

[1] The service is still a prototype, but will hopefully be deployed
soon, after some review, privsep work, integration discussions, etc.

Reply to:

Follow-Ups:
- Re: tag2upload should record git tag signer info in .dsc [and 1 more messages]
  - From: Russ Allbery <rra@debian.org>
- Re: tag2upload should record git tag signer info in .dsc [and 1 more messages]
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: Re: start-stop-daemon pidfile permissions check
Next by Date: Re: tag2upload should record git tag signer info in .dsc [and 1 more messages]
Previous by thread: Re: start-stop-daemon pidfile permissions check
Next by thread: Re: tag2upload should record git tag signer info in .dsc [and 1 more messages]
Index(es):
- Date
- Thread