Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 920763@bugs.debian.org
Cc: Chris Lamb <lamby@debian.org>
Subject: Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
From: Felix Lechner <felix.lechner@lease-up.com>
Date: Wed, 27 Feb 2019 13:07:20 -0800
Message-id: <[🔎] CAFHYt57X4hbAWttcbTEsMVcpcqMtqhm5fjKQP8JuH+LGgX9W9A@mail.gmail.com>
Reply-to: Felix Lechner <felix.lechner@lease-up.com>, 920763@bugs.debian.org
In-reply-to: <[🔎] 87zhqhnhmg.fsf@fifthhorseman.net>
References: <1548750590.4098900.1645903600.28E68FCC@webmail.messagingengine.com> <[🔎] 87sgwbm0v8.fsf@fifthhorseman.net> <[🔎] 1551191051.3778672.1663862888.144B547F@webmail.messagingengine.com> <[🔎] 875zt6molb.fsf@fifthhorseman.net> <154870681980.29950.12867026500568220028.reportbug@alice.fifthhorseman.net> <[🔎] 94142ab6-1fe1-4e79-875a-afd9b4112a74@www.fastmail.com> <[🔎] 87zhqhnhmg.fsf@fifthhorseman.net> <154870681980.29950.12867026500568220028.reportbug@alice.fifthhorseman.net>

Hi Daniel,

On Wed, Feb 27, 2019 at 12:03 PM Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
>
> I guess if we wanted some version of lintian to be able to check on the
> git tag, we need to have some sort of export (git shallow
> something-or-other?) that could be included in debian/ to recreate a git
> repo that would be sufficient to verify the contents of the files and
> confirm the git signature.

I wrote a Debian tool to create a shipping manifest with file-based
hashes. Would it help to include that at the time of packaging? If the
manifest is signed, we could do away with tarball signatures.

Felix

Reply to:

References:
- Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
  - From: Chris Lamb <lamby@debian.org>
- Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
  - From: "Chris Lamb" <lamby@debian.org>
- Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Prev by Date: Updating runtime dependencies on lindsay.d.o
Previous by thread: Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
Next by thread: Processed: Bug #920763 in lintian marked as pending
Index(es):
- Date
- Thread