Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
Hi Daniel,
On Wed, Feb 27, 2019 at 12:03 PM Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
>
> I guess if we wanted some version of lintian to be able to check on the
> git tag, we need to have some sort of export (git shallow
> something-or-other?) that could be included in debian/ to recreate a git
> repo that would be sufficient to verify the contents of the files and
> confirm the git signature.
I wrote a Debian tool to create a shipping manifest with file-based
hashes. Would it help to include that at the time of packaging? If the
manifest is signed, we could do away with tarball signatures.
Felix
Reply to: