On Tue, Mar 08, 2016 at 05:10:53PM +0100, Andreas Tille wrote: > On Tue, Mar 01, 2016 at 06:21:18PM +0000, Mattia Rizzolo wrote: > > Also, can you please use signed tags? with gbp is just a metter of > > adding 'signed-tags = True' in ~/.gbp.conf :) > > If we would like to make this the default in the Debian Med team this > should be added to the policy. My dreams a bigger: I'd like to see using a standardized git repository for all packages in the archive mandatory, and usage of signed tags mandatory too. Then, this is Debian, I know something like that will likely never happen anytime soon ;) > I personally do not see any extra value > by signed tags since what finally matters is a signed upload. But if > others think its a good idea I don't mind. I'd like to trust git repositories. I'd like to be sure that a tag in a git repository is *exactly* what has been uploaded to the archive. Currently when I work out of git repository I don't know about I always need to double-check whether what is in the repo is what is in the archive, by `debuild -S` out of the repository and debdiff against what's in the archive. It's annoying. I want to trust that a git tag signed by a key I trust (let's assume I trust all of debian-keyring) is enough by itself, and I don't need to double check anything. Considering that I'm seeing git tags done just about randomly, and them hardly matching what's uploaded, I think we're still far to go. [0] The fact that DPMT moved to mandate git-dpm, when it doesn't even support signed tags, doesn't help my evil plan :) [0] To be clear, that's a general statement, I don't recall if what I saw was in -med or somewhere else. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: http://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Attachment:
signature.asc
Description: PGP signature